Currently we have multiple apps(Eg. one is running on localhost:4200 and other on localhost:4201). Now when user signed in from localhost:4200 then on 4201 I want to redirect user to the main screen instead of login because they already signed in from 4200. Currently I created multiple applications in okta panel and using different client ids for both application.
When I signed in to the application and trying to access okta panel it is automatically signed in I want to know the same for my another application.
Login with multiple application
Related
After I try to launch an app using the Okta dashboard, I have a problem; it displays old user information (perhaps because the local app token is unclear when we sign out of the Okta dashboard).
Scenario
Sign in with user A to the Okta dashboard.
Use the Okta dashboard to launch my application
Exit user A from the Okta dashboard.
Sign in with user B to the Okta dashboard.
Run my application through the Okta dashboard once more (here it shows me User-A details)
So, is there a way to deal with this circumstance?
What is expected to happen?
It should show me the User-B details on my App
SDK Versions
#okta/okta-auth-js: ^6.0.0
#okta/okta-react: ^6.4.3
Execution Environment
macOS, Google Chrome, React (typescript)
I use Okta Sign users into your SPA using the redirect model
Thanks!!
I believe the issue is on your application side and in your expectations.
OIDC with Okta does not have a way to inform your application, that user A signed out of Okta. You need logout flow to be initiated from your application end.
So your app holds a token from user A and never had a chance to know, that in Okta user A logged off.
But my question is: does the fact that a user signed out of Okta mean that their identity changed?! No. So for your app the user is still confirmed legitimate user.
What you are trying to achieve is session management which is a responsibility of an application. Okta only confirms/asserts to your app a user's identity.
I have 5 different laravel applications including with one python app having each different database.i want SSO implementation where i can register and create account on one app and it will redirect to dashboard where cards of others apps are shown.when i click on any of these app it will redirect me to that specific app without giving login credential again for that app
Is there any solution or any thing that will help me to do so
I am trying to build an app in Laravel that uses the OneLogin API to provide a seamless integration with their data.
Part of the users' data is displayed in an embedded Tableau view (hosted on Tableau Online).
I have successfully added the Tableau app in OneLogin.
I have also
setup the SAML authentication - working
Laravel app can get a token and assertion via API from OneLogin
My understanding is that the SAML assertion is supposed to authenticate the user whose details were sent as part of the assertion, however, after receiving the assertion and redirecting to the view with the embedded Tableau view, the user is prompted to log in.
This kind of defeats the purpose of the assertion.
User prompted to log in:
Application storage:
Am I missing (misusing) the purpose of the assertion?
Should the assertion be added to the session?
How can I authenticate the user once without having them providing credentials for all the services used in the app?
I think you missed to enable iframe embedding.
When you enable SAML on your site, you need to specify how users sign in to access views embedded in web pages. These steps configure OneLogin to allow your OneLogin dashboard to be embedded into an inline frame (iFrame) on another site. Inline frame embedding may provide a more seamless user experience when signing-on to view embedded visualizations. For example, if a user is already authenticated with your identity provider and iFrame embedding is enabled, the user would seamlessly authenticate with Tableau Server when browsing to pages that contain an embedded visualizations.
Reference: https://onlinehelp.tableau.com/current/online/en-us/saml_config_onelogin.htm#enable-iframe-embedding
I am not sure how to correctly handle Google domain application access/revoke. Situation is quite standard:
domain admin installs an application through marketplace workflow (scopes, setup url, ...)
application is than listed in admin console for domain (https://admin.google.com/AdminHome?fral=1#AppsList:serviceType=MARKETPLACE)
everything works fine, users can access app
at some moment, for some reason admin revokes application data access through the admin console for whatever reason (application is not deleted, only "disabled")
since than, as there is no privilege granted for app in domain, every user who accesses the application is redirected to error page
And here comes the question - how to properly detect and handle this. As some Google docs say, app should re-request required privileges through consent screen (approval force param).
But as my tests show - when user (admin or non-admin) accepts scopes needed on consent screen, application on admin console is still displayed with no data access.
But the same application is instead listed in user's connected apps (https://security.google.com/settings/security/permissions), even it is domain-installable app!
So do I programmatically handle this situation. Is there a way, or should I just redirect (admin)user to admin console to manually turn data access for that application on?
BTW, after marketplace installation, "sometimes" another consent screen pops up first time visiting app url - which obviously requests same scopes as marketplace listing - why is that?
On that case, application is dually listed like in previous case - in domain and in user's connected apps.
We have a desktop application that is used to upload content to a web application, both use Okta for authentication. Before uploading, the desktop application authenticates the user via Okta using an embedded browser control. Later in the workflow we want to open the user's default browser so he/she can start using the web application directly. At the moment the user will need to login a second time when their default browser opens.
We planned to implement a mechanism to generate a one-time key (transferable session token) that can be passed as a URL parameter when the browser is opened. For our application's own token we can achieve this but we also need to transfer the Okta session (cookie) and we have not found a way to transfer this from the desktop browser control to the standalone browser.
What options are available to achieve this?
Edit: it is acceptable if a new session is created for the standalone browser as long as the user identity stays the same and the user does not have to provide login details a second time.
Unfortunately, Okta does not have a way to transfer one active session to another as you describe.
However, if you have enough control over the organization's environment, you could simulate this behavior. For Okta organizations that use IWA to authenticate users, you would get this sort of feature "automatically" (provided that the user's default browser supports Active Directory). Another way could be to configure your web application as a "SAML IdP" and have it "transfer a session" to Okta using a SAML Response and Okta's Inbound SAML functionality.