LOKE allows for SSO using a session initialisation webhook. This works by LOKE's back-end calling a configured webhook with customer contact details and unique ID. The webhook then returns a URL that contains a session identifier or token (eg as part of the query string or URL path). Tidy's back end then redirects the customer's webview to this URL.
It is recommended that the session ID or token have a short expiry, eg 60 seconds, since it is visible in the URL path. This will prevent for example, someone copying it out of a web server or load balancer's logs in the future and re-using it. If the target requires further navigation (page loading) on your end, you should create a longer-lived access token and set it on a secure cookie. For extra security you could also ensure that the IDs or tokens are invalidated after first use.
Note any session identification and/or token must be provided in the URL. Headers and cookies are not supported. If cookie authentication is required then another intermediate step is required (where the third-party server reads the session ID and sets a cookie in the response).