We had some issues with our cross-origin login (the target site is x.company.com but the login is verified on apps.company.com). The structure of that was as follows:
