Negative.. the solution was to apply a WFA (OKTA protected) at the top of it and leave the credentials in place (saved with no expiration)... not what I wanted, plus waste of resources really, and it slowed down the whole thing (because of the "proxy" between).
We now have a similar issue, but with the Microsoft solution (Azure), there's no connector to make it working.... grrrr.