And we’d love the user to log in once, and when they got to the next domain, they don’t have to be resent to Okta to get a token for that domain. Is it possible to pass the initial token around? Is it recommended? Will the same token work on other domains?
And we’d LOVE, icing on the cake, would be to allow this same token to access other Sass products that’s using Okta, like workday, LMS system, etc.
Not sure what you mean, when you say “token”. If it’s what everybody calls token which is probably access token from oauth server, then it can care less about the domain you are coming from (except CORS of course, but it’s not oauth related stuff). As long as you succeeded to authenticate yourself to the server (through application sign in), on premise that you are granted access to the resource (scope requested), you will be given access token (JWT). Then you are free to use this token to any server, which validates your token against the same oauth server.
Besides this definition of “token”, I can’t think of any other (cookies, assertions…). There are ways to build SSO without tokens, but it really depends on what a target application supports from sign-on perspective. If those products are integrated with Okta, then there is a chance to use SAML/OIDC protocols for SSO into the apps, as long as you have Okta session active and all of those apps are integrated with the same Okta tenant.
Yes, you can use it wherever you want. Token is not attached to any domain. You may want to google for ‘access token validation’ to get a better idea, how access tokens work and are used.
Don’t mix tokens with cookies, those are 2 different things