Hello,

This might be a stupid question, but why is the redirect happening in
OAuth2 spec (+ SAML previously) to the STS login page for cross domain SSO?
Our marketing department is against this redirect as it means that users
are jumping out of the e-commerce shopping flow. They would prefer a login
mechanism in which the login page remains embedded in the e-commerce
websites. Having flexible in login options is not necessary for us. We do
not expect to move away from username/password anytime soon.

We are thinking about an embedded login page, that does a HTTP POST to the
STS (to have the cross domain SSO cookies), but render the login form
within the ecommerce website. Was there any good reason why the OAuth2/SAML
specs are redirecting to an STS hosted page, except flexibility in login
options and the STS as trusted authentication system. We are considering
such a custom solution, but at the same we would to be sure that we are not
missing some important security aspects that might make our authentication
solution vulnerable.

Kind regards,
Pieter