Okta Sign-in Widget, SPA and SSO with Other Okta Apps

We’re wanting to use the embedded sign-in widget on a site we’re building so that we can customize the look and feel of the sign in experience (site header/footer/custom styling/etc.). So, the redirect option is out.

We’ve got the sign-in widget working fine (via an OIDC app) - user hits a page on our site, we render the widget, they sign in. No problems there.

However, we have other apps integrated with our Okta instance that these users will need to access. Some are SAML, some are OIDC.

We were expecting that once a user authenticates via the widget, they could simply visit one of the other apps and they’d be authenticated there as well. Turns out, that’s not working. Users are still shown the Okta login once they hit one of those apps. We also noticed that if a user goes directly to the Okta dashboard, they’re prompted to authenticate. Of course, once the user authenticates via the Okta login page, they can move between all of these apps without having to authenticate again.

It feels to us that the widget isn’t establishing a session properly in Okta in order to support this SSO use case but we’re having a really hard time finding any information about this.

So, just to be clear, the flow would be:

User browses to our site->sees embedded sign-in widget->authenticates successfully->navigates to another app that’s connected to Okta->automatically signed in via Okta

Any thoughts/suggestions on how to get this working would be much appreciated.

Hello,

We’re wanting to use the embedded sign-in widget on a site we’re building so that we can customize the look and feel of the sign in experience (site header/footer/custom styling/etc.). So, the redirect option is out.

The easiest way to accomplish this is to setup a custom domain URL in Okta. This way you can fully custom the sign in widget as if you were hosting it yourself. All of the flows and application level MFA (assuming you are using Okta classic) will work in the Okta hosted model. With a self hosted widget there are certain flows that either don’t work (Application level MFA) or need various workaround (IdP Discovery).

If you want to use self hosted widgets for each of your applications and support SSO, when a user visits the page, one of the first things the application should do is check for an existing Okta session. Then the correct path depending could be taken.

Thanks for the response @erik.

Re: the SPA checking for an existing session - we’re actually having what appears to be the opposite of what you laid out. The user hits the SPA without first hitting another SSO app. They’re prompted to authenticate via the widget. They do so, then hit another SSO app at which point they’re prompted to authenticate again.

Almost as if the SPA and/or widget code should be establishing the session in Okta but isn’t.

We were assuming the widget would automatically do this once the user has authenticated.

I would assume that after the first login the session cookie for your Okta Org URL should be set in the browser.

We also noticed that if a user goes directly to the Okta dashboard, they’re prompted to authenticate.

So this is not happening. It would be helpful to see .har files of these transactions and see how the widget is being configured.

Hi @erik - I can provide a HAR file of this issue in action. Any suggestions on how I can get this to you securely? Thanks.

I would recommend opening a support case and attaching the .har file to it.
You can reference this post in the case.