Review of SSO approach / Okta API

#1

Hi, looking to make sure I understand how to use Okta properly, and I have two questions below. Here is what I’d like to do:

  1. I have 2 apps, one I built (let’s call this X), one that is built by another company (call this Y), but supports SAML based SSO. I was hoping to use Okta as a basis for users seamlessly accessing both apps once logged in. That is, the usual SSO experience.

  2. I would prefer to have a completely custom landing page, etc. with X, and so I was thinking to use the Okta Auth API for everything. Would I create an Okta Session using the REST API at that point and use the use the Refresh Session API for browsers (https://developer.okta.com/docs/api/resources/sessions/#refresh-current-session) going forward? If so, which Auth API call would I make to get the session token or to establish the cookie originally, without the user leaving my app?

  3. Once users login, I would like to make sure they of course can seamlessly use Y. Would just setting the session cookie once logged in enable the rest of the SAML based SSO handshake to execute correctly? I just want to be sure that the user isn’t asked to login again when they navigate from my dashboard page on X to Y via a link I have there.

Thank you

#2

Hi @gb987

I would recommend a flow like the following:

  1. User logs in to the application
  2. The application sends a client-side request to Okta to authenticate the user
  3. The application opens the two applications in tabs, using the “Embed link” found under Admin >> Applications >> Your app >> General tab.

To generate a session token, you can do an API call to /api/v1/authn, as described here and use the steps described here to create a browser session. Alternatively, you can use the Okta sign-in widget which has the function already implemented.

#3

Thanks @dragos, much appreciated. Just a couple of clarifying questions:

a) When you say “client side request” to Okta, you’re talking about the REST API, which I would call from my server (as a client to Okta). Am I correct?

b) I understand the idea of getting a session token to create a session cookie, but I’m wondering what I do whenever a user hits a page to verify that their session is valid (and in fact to refresh it). The obvious thing from the docs would be https://developer.okta.com/docs/api/resources/sessions/#refresh-current-session , but I am not sure on how to do that in the browser. Wouldn’t that just redirect them to Okta? Or do I make this call in my server side code, whenever the user hits a valid page?

c) Once the user is logged in via this method, is he able to access a SAML app linked to his account? Basically, regardless of SPA or auth2 or SAML, once a user is logged in, can he access any app linked to the account (for which he is assigned)?

Thanks!

#4

Hi @gb987

This are ajax requests that are done through the browser to your Okta org’s API endpoints, as described here.

You can do an ajax GET request to /api/v1/sessions/me to check if there is a user’s session active.

Yes. Once he has an active session with Okta inside the browser, you can redirect him to an embed link (Applications >> App >> General tab >> end of page). It looks something like

https://dragos.okta.com/home/template_swa/0oa3w0mmafi5q5Noz2p7/2357