I have a third party IdP which is going to communicate via SAML with my SP, a ReactJS Single Page App. Auth0 is going to receive the SAML request from the IdP and has been configured to forward it to the SP via OpenID. Here is what is happening in our proof of concept:
User logs in to the IdP
User clicks on a link in a dashboard to access the SP, which is actually a link to Auth0
First the browser navigates to this url (which is correct):
and immediately, the browser then it tries to navigate to this url:
and then it lands on:
https://My-URL-In-Auth0-AllowCallbackURL/profile
Since the 3rd url does not have the access token, the SPA displays the login screen.
At this point, if the page is refreshed (F5), the profile page for the requested account is shown as expected.
This behavior occurs only on the first login. It loads the profile page normally on subsequent attempts on Chrome, Edge and Opera browsers. For some reason, Firefox and Brave browsers land on the login page all the time. If the first url (shown above) is placed in the address bar of these browsers, it shows the page correctly.
I have already read the following articles:
Configure Silent Authentication - this article suggests adding prompt=none, which I added to:
SP Tenant| Authentication | Enterprise | SAML | MyConnection | IdP-Initiated SSO | Query String
as:
response_type=token id_token&prompt=none
but this did not have any impact.
Is there a setting in Auth0 that can impact this behavior? Or is this something that needs to be captured by the SPA?
Any assistance would be appreciated, thank you very much!