SP initiated SSO + Session cookie

I am building an SP initiated Single sign On and I am able to Log in.
The problem is that I have to control the session of my custom application at my side (because I am using a custom app with a custom login page).
I did not have access to “sid” cookie, because it stays only in okta domain, how can I control the session in my website?
I know that I can create a session with session API and send to my website the cookie generated with “sid” value, but in that case I don’t have a SSO with Okta and other apps.
Am I missing something?

I really appreciate any help, I am stuck on this for days.
Thanks in advance!

As long as the other application does not block third party cookies (since the okta session cookie will ONLY exist on the Okta domain), it can check if the Okta session exists by making a CORS request to the sessions endpoint.

However, your application should NOT be relying on the Okta session cookie to manage your user’s sessions. If you haven’t already, I recommend looking into OpenID Connect and how tokens issued to your applications/user can be used to manage user session. Your OIDC apps can then support SSO (based again on the Okta session cookie), while managing their own sessions on their own domains.

Hello Andrea,
thanks for the answer!
I am able to access Okta session making a request to the sessions endpoint, but this call only works on front-end, I have a requirement to manage login and sessions on java back-end, but back-end always return a session not found doing the same request that is working on front-end.
That’s why I am trying to find a way to read the “sid” cookie and set on my application domain, because having a session id I am able to retrieve session data and control access to my website using java with this endpoint: Sessions | Okta Developer

Maybe OIDC works better, but we are using SAML because of the client architecture that already use SAML in another applications.

In this case, is that some another way that I can read the Okta sid value to control my website access via back-end?

Thank you once more!

I am stuck with the exact same issue where in I have a SAML authentication and wants the session sid to get the session details. Did you find any solution for the same?
Thanks in advance!

Yes, I used the endpoint pointed by Andrea above.

With this endpoint I could get the active session. This endpoint will only return the session when called by your frontend. So I am calling this endpoint on frontend, setting session ID on browser’s cookie and everything else doing on backend, having the sid number you can call Sessions | Okta Developer to validate if the session is still valid on backend.

Hi Elizabeth,

I am actually implementing the same solution for one application and I have a question on how did you call the Get Current Session endpoint?

In the documentation says it needs as parameter an Okta Cookie. How did you read that Okta session cookie when it exists?

Thanks in advance for your help.

Kind regards,

Hey @davexriv90! You might want to check out the following post from a previous thread - In particular, the credentials bit: