Our organization uses Okta for SSO. When a user signs in to Okta, they click a link for our Moodle site and are automatically signed in with their credentials. This is done through Okta's SWA protocol. Okta's SWA works by storing user credentials with encryption and a private key. When a user logs into the Okta web portal and clicks the link to our Moodle site, Okta posts those stored credentials to the Moodle login page over SSL and the user is signed in. Our Moodle 3.6 site authenticates off LDAP and fills in Moodle profile info with fields from the LDAP record.
In our classrooms, thin clients connect users to a VMware desktop pool with Windows 10 LTSC VMs. Using Chrome, a user can successfully login through Okta via the method outlined above. If a user closes all Chrome windows, opens Chrome again, signs into Okta, and and follows the Moodle link, they are directred to a Moodle error page that reads, "You are already logged in as <user name of person trying to sign in>. You must logout before logging in as a different user." A user can either click "Logout" to be redirected to a login prompt or click "Cancel". When choosing Cancel, a user is taken to our Moodle home page and they are signed in with the correct account.
Does anyone have experience using Okta SWA for SSO with Moodle? I'm confused by the error message, "before logging in as a different user." What's the different user if the person is signed in through Okta with the same credentials they used the first time?
I am going to open a ticket with Okta support as well but I was curious if anyone encountered this issue with Moodle and Okta or if they've seen this same error message under other circumstances in Moodle.