Since your applications run in different domains, you cannot transfer cookies between these APPS running on the client machine to verify the user. So some information should be transmitted on the server.
The simplest solution that comes to my mind is-
You have a shared session for all servers.
Hava-specific authentication domain and redirect users where authentication is required. Authenticate the user there and set the session cookie or token that you want.
Whenever your application requires authentication, redirect it to the authentication domain. The authentication cookie will be transferred to the authentication domain as well as to the referrer domain. If you have already confirmed that the authentication server can redirect you to the source application with the corresponding sessionID, which will be set as a cookie for this domain.
If authentication is not completed, the user will be prompted to authenticate with the authentication server, and then redirected.
With minor changes, you can achieve this with tokens and without the need for shared sessions.
Correctly verify that the states are correct before implementing it. More states in your mechanism mean more chances for errors and possible attacks.
Consider moving applications in the same subdomain. If the authentication mechanism is the same, then everyone knows that all applications belong to the same company. In addition, it will be easier for people to remember different subdomains in the same domain, rather than remembering all different domains.
krrish
source share