SSO and ADFS

ehealthmanny · January 6, 2018, 1:34am

Hello we have some questions about auth0 and SSO with ADFS.

Since we do not have the “Use Auth0 instead of the IdP to do Single Sign On” setting enabled. Does that mean that auth0 redirects to our ADFS login page first to check for an SSO session cookie after hitting /authorize ?
If we enabled the “Use Auth0 instead of the IdP to do Single Sign On” setting would auth0 then only redirect to our ADFS server on the initial call to /authorize, then store an SSO session cookie on the hosted login page, which expires after “SSO Cookie Timeout”

jmangelo · January 8, 2018, 7:13pm

Starting with the second point, yes, having the service (your Auth0 tenant/domain) act as the IdP would mean that if a valid session already exists at the service then by default there would be no need for the user to go to the underlying identity provider (in this case ADFS).

You should also have in mind that for OIDC compliant client application, which would be the recommendation, the toggle is enabled by default and cannot be disabled so you should likely implement your client applications according to the OIDC compliant behavior as the other one is associated with legacy authentication endpoints that are deprecated.

ehealthmanny · January 8, 2018, 10:49pm

@jmangelo Thank you very much for the reply.

Out of curiosity why is it considered non compliant with OIDC to always check back with the underlying IP to verify the users authentication?

jmangelo · January 9, 2018, 9:58pm

The OIDC compliant toggle affects more than that. For this particular case it’s just how it works, that is, if you’re treating the Auth0 service as the identity provider then by default the provider should be able to satisfy an authentication request if the user already has an authenticated session. When you enable the OIDC toggle you loose the ability to have a saying on this, but this is how it should work by default. There are very limited scenarios where you want to have a broker identity provider in the middle and then go to the underlying authentication provider on every request.

jmangelo · January 9, 2018, 9:59pm

In conclusion, in this particular case it’s not a textbook case of the specification says it is like that; it’s an inherent characteristic of using OIDC compliant authentication in Auth0.