Step 1: Okta Login Page (okta initiated flow)
Step 2 : Okta does a SAMl assertion to Application 1 (this is our portal app where we have links for other applications which also uses okta for auth)
Step 3 : From Application 1 I open the protected url of Application 2(SPA OIDC PKCE Okta Login Page) in next tab. The Okta SDK (angular or react) initiates the authorize flow and but instead of showing Okta login page user is redirected to callback url with Auth Code. I think here Okta used the session cookie
Step 4 : From Application 1 I open the protected url of Application 3(SPA OIDC PKCE Custom Login Page) in next tab. The Okta SDK takes user to Custom login page. I was expecting Application 2 to initiate authorize flow using cookie.
I think it is because of the domain difference.
- How can we SSO into such custom login page apps (okta widget inside app) without asking for credentials.
- Is my Step 3 flow correct ? Or is there a better way to do this ?