ytnkw (ytnkw) asked a question.
Hi,
I have set up a Reverse Proxy in front of the App Server with the Mellon protection and multiple IdPs. There is an extra step in the login procedure, that's probably a bug in the OktaSignIn widget or in the mod_auth_mellon and I'm trying to find which one is to blame and how to fix this.
The correct login flow would be like this (I bolded out the difference):
- User tries to reach an app, goes to https://example.com/app, which points him to Reverse Proxy server.
- The Mellon on the Reverse Proxy server redirects him to https://example.com/idp-discovery, where the user can choose between two IdPs. They both happen to be just different okta apps (this is a test setup).
- Depending on the okta app chosen, the user gets redirected to the custom login page for the according app (it's hosted on our Reverse Proxy server).
- After login the user is prompted for MFA (using email or sms, whatever).
- He's authenticated and goes to https://example.com/app.
But unfortunately what we're getting is:
- User tries to reach an app, goes to https://example.com/app, which points him to Reverse Proxy server.
- Reverse Proxy server redirects him to https://example.com/idp-discovery, where the user can choose between two IdPs. They both happen to be just different okta apps (this is a test setup).
- Depending on the okta app chosen, the user gets redirected to the custom login page for the according app (it's hosted on our Reverse Proxy server).
- After login the user is redirected back to the https://example.com/idp-discovery and has to choose the same IdP again, then he gets prompted for MFA.
- He's authenticated and goes to https://example.com/app.
I tired to debug this for quite a while now. I think the OktaSignIn is the problem, like it's not sending the full request for both first and second factor auth, only for the username and password.
I set up this custom login page as an .html file with a script with basic, non-OIDC example, like in https://developer.okta.com/code/javascript/okta_sign-in_widget/*initializing-the-widget
The exact code:
<div id="widget-container"></div>
<script>
var redirectUrl = ... // extracted from the URL, in this case would be just https://example.com/app
const signIn = new OktaSignIn({baseUrl: 'https://${yourOktaDomain}'});
signIn.renderEl({
el: '*widget-container'
}, function success(res) {
if (res.status === 'SUCCESS') {
res.session.setCookieAndRedirect(redirectUrl);
}
});
</script>
What's funny is that if we don't have the idp-discovery mechanism (one IdP only) it works properly, I mean: the custom login page redirects the user for MFA prompt without the idp-discovery additional step.
Any help with debugging this would be much appreciated. I'd be happy to provide additional info.
Regards,
Jan
Hello @ytnkw (ytnkw),
Feel free to post this question on our Okta Developer Forums: https://devforum.okta.com,
and they should be able to help you with this.
Regards,
Natalia
Okta Inc.