Patrickv.40677 (Customer) asked a question.
We implemented a custom loginpage with the okta-signin-widget which is running on our own domain (call it mydomain.com)
When the widget is initialized, several cookies are created on this domain, like JSESSIONID and DT (DeviceToken?).
We have configured our signin policies so that our users have to sign in with MFA. We would like to make it more convenient for our users by prompting them for MFA only once every 8 hours so we configured our MFA policy to prompt per session and set the factor lifetime to 8 hours.
So now, when a user signs in, he can check the checkbox "Do not challenge me on this device for the next 8 hours" and we should be good.
However, it is not working. My assumption is that it has to do with the DT cookie, which is (logically) set to mydomain.com, while the widget communicates with the okta backend via the domain mydomain.okta-emea.com. The same-site policy prevents the okta backend from receiving the DT cookie, hence-forth the "do not challenge me .." feature doesn't work.
We cannot bind our mydomain.com domainname to our okta tenant because AWS route53 dns policies do not allow that.
Is there an alternative way to send the DeviceToken to the okta backend?
⚠️ UPDATE:
I have configured route53 combined with cloudfront to redirect all requests to autn.mydomain.com to mydomain.okta-emea.com, but no success yet. The responses from Okta, however, contain url's for different functions which the okta-signin-widget seems to use. So that leads me to a new question😁:
Is it possible to modify the url's returned in the okta responses?
I read here: https://developer.okta.com/docs/guides/custom-url-domain/overview/ that is should be possible using cloudflare. Luckily my company is moving towards cloudflare so that opens up possibilities. When I make progress, I will update this post