Auth0 Home Blog Docs

Completely Silent Flow for client with only SAMLP connections


#1

So, this is a general question and indicates my ignorance of some of the flows with Auth0, but here is what we’re trying to do.

We want to implement a custom login page using React/Redux; specifically we want this to be a reusable component that we can drop into several of our products and style to match the product. We are not hosting user credentials; instead we want to use Auth0 to federate login information out to numerous SAMLP enterprise connections which our customers will use.

Here’s the thing: we want a completely transparent flow: no redirects, no Auth0 UI, and no third party IDP UI. We would like to be able to enter the credentials into a React/Redux form and then have “something” happen where the credentials bounce through Auth0, to the federated SAML IDP’s, authenticate (or not), and then back to us. It’s okay to redirect to another page on our site, but we want to keep the flow on our site. Once we get an auth token and an ID token back, we will take over and provide a “pseudo-SAML” flow to augment the user info with internal ID claims on our site.

What we can’t seem to make work is the silent authentication part (the AuthN). All the samples and all the code paths I’ve gone down seem to boil down to a call to WebAuth.login() in the auth0.js SDK (version 9). However, if the Auth0 client does not have a database connection, we get variations on the error message that “username/password authentication is not supported.” If I add a mock database connection to the client, I can do a completely behind-the-scened auth flow, but it’s a design requirement that we do not host the credentials, our customers’ third-party SAML IDP’s host them.

I know that SAML has a post-to-post binding, which should – in theory – allow a completely silent auth flow via SAML, but I cannot, for the life of me, figure out how to trigger this.

TL/DR: we want to be able to programmatically submit a username/password to Auth0, have it federate that out to an appropriate SAML IDP, and then call us back with the authorization results. And we want all of that to happen without redirects, or only with redirects back to our site.

Is this possible? Right now I can make it work with the “universal” flow, but this involves two bounces – one to the Auth0 lock to enter the email and bounce to the federated IDP, and one to the federated IDP – then back to us.

I apologize if my ignorance of the OIDC/SAML flows is showing!

Depending upon the answer(s) to this question, I may have further questions. Thanks in advance!

– Tom