Auth0 Home Blog Docs

Auth0 SAML and Silent Authentication

saml
silent-auth
silent-authenticatio
saml2
#1

We have 3 companies wanting SS0 for websites: our client, our partner, and us. Originally all were planning to talk directly to Auth0 as the SAML2 IdP, but now our client does not have time to integrate SSO by “launch”, so we are working on a temporary SAML solution. Our partner still needs to use SAML the way originally planned, so it is up to us to figure out this temp SAML solution for the current client. The temp solution does not need to have passwords at all, and as long as all endpoints are HTTPS we are not overly concerned with security measures or best practices (temp solution, remember?). I’m not a SAML expert, so please forgive me if I display some ignorance.

This temp solution involves users logging into client portal website, then user arrives at our portal (with enough user info to create user), then using auth0 api and server-to-server calls we either find user or create user in auth0, ideally do a silent authentication (starting the auth0 session), then redirect user browser to partner who will get user info from auth0 using normal SAML methods. At no point should user see a login screen. When a session expires they must go back to client portal to start a new session. This is all working except the silent authentication part.

At first I thought this would be possible based on https://auth0.com/docs/api-auth/tutorials/silent-authentication, but now realize that is just for OpenID and not for SAML.

I’ve also seen others trying to implement similar:

  • Jan 2018 Silent Authentication with SAML SSO
    "For SAML the situation is a bit different, however, depending on your situation there may be something possible. In particular, if the SSO between the two client applications is based on a single database connection then instead of using https://{your_domain}.auth0.com/samlp/{client_id} as the login URL you can use https://{your_domain}.auth0.com/samlp/{client_id}?connection={your_db_connection_name}. From a quick test the inclusion of that additional parameter gave me the desired behavior; have in mind I could not find any formal documentation on this, but given the no prompt behavior is what lies ahead the use of this parameters seems low risk.
  • Completely Silent Flow for client with only SAMLP connections
    " If I add a mock database connection to the client, I can do a completely behind-the-scened auth flow"

My question

  • is it possible to do silent authentication for SAML?