Setting the session token '_t' on the entire domain, not just my subdomain

That’s… what the SSO is for. You see a user you don’t recognise, you redirect the user to Discourse SSO, asking “please tell me who is user is”. Discourse looks at the cookie that it gets sent, sees the user is already logged in, and redirects straight back to your app with the necessary info. No need for the user to log in, because they’re already logged in to Discourse.

3 Likes