currently I'm writing a silentauth SSO-check.
1st - Writing Session:
2nd - Redirect to external subdomain (SSO-Server)
3rd - Callback from SSO to /callback (POST-Route)
So far last step (which doesnt work): redirect to sessionvalue "redirecturl".
Just in general: Are sessions cleared or does the user get a new session-id when he gets redirected from server-A to server-B and back again from server-B to server-a?
Whilst writing this there came another possible issue: Maybe the missing csrf token from the sso-response could be the reason?