According to the OneLogin documentation, the final steps to log in a user via API calls are:

1. Generate a session_token and submit it via form POST to a OneLogin url
2. The OneLogin server will then start a session for you and return an httpOnly, domain specific cookie to your browser.
3. Recognize that the form POST returned a 302 redirect status and send the user to another page

My question is how are you supposed to handle #3? Especially with regards to the cookie that is returned.

The documentation states:

In your actual app, you’ll need to include logic to look at the redirect and behave appropriately. Your app starts by requesting the POST, but upon receiving a successful response, it must be able to recognize that the user is now logged in and respond appropriately by displaying a logged in state to the user, for example.

How do I look at the redirect from a form post?

I can do that if I build a servlet, my browser calls the servlet and I emulate the form post on the back end. But now the returned cookie is only acceptable to my servlet call. If I attempt to pass it back to my browser, it will get rejected due to the domain field not matching my initial request. At least I'm assuming that's what's happening... I'm a little fuzzy here.

I cannot perform the form post via an AJAX call due to the 'httpOnly' aspect of the cookie. That attribute makes it forbidden to most browsers.

So how was this part intended to work? Is there an easier way? How has anyone managed to deal with this? My ultimate goal is just to send an authenticated user to my own portal page but I am unable to both successfully recognize the form response and properly set the browser cookie.

Any insight is appreciated. I'm using FireFox 49 and Tomcat 7 if that helps.

The flow, in a nutshell, is:

Get session token. Post session token to the OneLogin endpoint from your login page. OneLogin will accepts the token and it will set the session cookies on the OneLogin domain and redirect back to the original page that posted to it.

In the end, the create session part should never fail, because the logic on your side has to handle the bad password case and should never post to the create session endpoint unless that part of the flow succeeds.

All your page needs to do is recognize that it's being redirected to from the create session page and not go through the logic of presenting the user with a username and password again.

Having said all that, we expect to take the wraps off making this endpoint CORS compatible in the next few weeks, so you'll be able to make an AJAX call and not deal with all this redirection stuff.