jn5kb (jn5kb) asked a question.
We have a number of federated domains and each have an application which is assigned by primary domain. External Users after refreshing an old session are directed to Okta and receive the prompt "Sorry you can not access the otherfeddomain.com app because you are not assigned this app in okta"
If the user restarts the browser or clears the cookie cache the connection works immediately. The issue affect multiple types of browsers. Today it affected the our complete user base.
We have logged a support case, who have reviewed the configuration and not have found any issues and then asked us to log a support call to Microsoft to resolve the issue.
If anyone has any idea's please let me know before we disable the fed to okta for O365.
Hello Joshua,
This is Bogdan from Okta Tier 2 Support, thank you for opening a ticket on our Help Center page.
The redirect is based on login_hint which gets populated when you refresh the page. And downstream the user is being redirected to the IdP, and latter to the application itself. Honestly this seems to require a bit of investigation done at the application level, so a ticket towards Support Engineer would be great to initiate.
When opening a Support ticket, please make sure that you include a Fiddle Trace capturing the behavior, so we can review the requests and redirects happening and we can advise on next steps.
Accept the prompts to Trust and Install the Fiddler Root Certificate. (This step is required to decrypt HTTPS traffic)
Restart your browser and reproduce the scenario requested by Okta Customer Support.
Once the reproduction sequence is complete, save the trace by selecting File -> Save -> All Sessions, and specify the Session Archive (.saz) file.
Provide this .saz file to us via the support ticket.
Thank you,
Bogdan Albu
Have you gotten any update. We have the same issue. This happens many time per-day and all we can do is clear the cache.
Sadly no! As a temporary workaround we have also added the incorrect application which it attempts to each of the user accounts. This seems to be working for now but the situation is far from ideal.
Hi Joshua,
Thanks for answering. I noticed that it is the cookie file outlook.office.com
It lists the correct domain name. But when the cookie expirers, it gets pointed to the wrong domain. But it is another domain we manage. So if we clear that cookie then re-auth we can get in to OWA.
Can you explain you temporary workaround? Do you create a bookmark app?
I added the cookie jpeg.
thanks again!
Todd
Sure Todd, We granted users permissions to both O365 Okta applications. One for the correct normal domain and the one it is attempting to authenticate too.