Comment by OkayPhysicist

I literally just implemented an Okta integration with an internal tool yesterday, so let me offer a little insight on why this happens. I have an existing tool. The guy in charge of it doesn't want me breaking anything, but we want to add an SSO flow to avoid having to login.

So I need a "SSO login page", which fetches some configuration data, stores it, generates some shared tokens, hands them to the browser, and then redirects the user to an Okta endpoint. Okta, for some reason, doesn't directly serve the login screen at that endpoint, so it captures the tokens I gave the browser, then redirects to its login page. The user logs in on the Okta page, which then redirects the user back to a page that I specified, which (since I don't want to touch the fragile 10,000 line php document that is the application's home page, is a separate page, which gets some information from the browser, makes a request to another Okta endpoint, at which point the user can be authenticated, logged in, and then sent to the home page of the app.

Basically, the most standalone way of handling the problem involves 4 redirects.