Hi Jeff,
Here’s my attempt at answering your questions:
- You can try using IDP Discovery and setting your application url in the requestContext. Please see https://support.okta.com/help/s/article/Relay-state-lost-when-using-IDP-Discovery-in-Sign-In-widget as an example. You may have to add some custom logic to handle multiple target urls for multiple applications or setup multiple custom login pages.
- Again can probably use IDP Discovery and routing rules, that user will should fall under the default routing rule which they can authenticate using username/password.
- Yes you can make API calls from your application (remember to add it as a Trusted Origin). A useful one might be the webfinger endpoint. https://developer.okta.com/docs/reference/webfinger/#finding-a-user-s-idp