I don’t have a lot of experience with Auth0, and have never set up an IdP-Initiated SSO before. From all of my research it sounds like we need to use the addon: “SAML2 Web App”, but I just wanted a little clarification.
Briefly:
Internal SPA application in our Auth0 tenant, using a MS Azure AD enterprise connection
SPA user is already authorized in the application
User clicks a link to launch an external 3rd party web application
3rd Party Web App:
Acting as Service Provider
Uses ADFS to implement identity federation between IdP
SAML v2.0 protocol
Web Browser SSO Profile
IdP-Initiated SSO using a POST Binding for the IdP-to-SP message
Desired Outcome:
User can launch the external web application, and get authorized without having to re-enter SPA credentials.
Is the “SAML2 Web App” addon the correct way to go?
Do I add the addon to our SPA application, or create a new application for the 3rd party web app, and add it there?
Where would I get the URL to initiate/launch the 3rd party web app (which causes Auth0 to generate/send the SAML assertion)? Is that the “Identity Provider Login URL” from the “SAML2 Web App” addon “Usage” tab?
I am sorry for the late reply to your post and hopefully you have managed to find a solution, however, if you have not I can provide you some extra insight for your implementation.
Indeed the SAML2 Web App add-on is the correct approach for your use case. In order to set one of your applications ( the SPA app in your case) as an SAML IdP, the add-on must be enabled and it can be configured from there. Setting your SPA app to be the SAML IdP for the connection should not affect your login flow, you can also create a new application for that purpose.
For more documentation regarding implementing the SAML SSO, you can visit this or learn how to set up the SAML IdP here.
Instead of building an IdP-Initiated SSO on your Auth0 tenant, I would recommend to implement on your SPA application where the user clicks a link to redirect them to the 3rd party app to make an /authorize call back to your tenant in order to authenticate them.
GET https://YOUR-AUTH0-TENANT.REGION.auth0.com/authorize?
response_type=code|token&
client_id={{ client_id of your 3rd party app&
connection={{SAML connection that the user authenticated through the SPA app&
redirect_uri={URL of your 3rd party app}
Otherwise, if you still want to continue with your initial approach, you can view on this post which explains how to set up an IdP SAML SSO or view our documentation on this matter.
If you have any additional questions, please feel free to reply back.