Problem statement
This article provides details on how to disable Seamless SSO between applications.
Solution
The tenant has the Seamless SSO enabled by default, and since both the applications are on the same tenant, if the user has an active session in one application, they will be automatically logged in to the other application. Even if the application is running on different servers, the authentication is performed for the same tenant, resulting in the skipped login functionality.
With the seamless SSO enabled in the tenant, when a user is logged into appA and then directed to the second application, appB, that application just needs to check if the user has an active session. This is not done automatically. When this user clicks ‘login’ on appB, they should be immediately logged in without entering credentials because Auth0 sees they have an active session via a session cookie.
Single Sign-on (SSO) occurs when a user logs in to one application and is signed in to other applications automatically, regardless of the platform, technology, or domain used by the user—the user signs in only one time, hence the name of the feature (Single Sign-on). The Universal Login page can authenticate users to achieve Single Sign-On between two applications. When using the Universal Login page, Auth0 will store a session cookie in the browser so that when the applications redirect to the Universal Login page for authentication, the user will be automatically logged in when there’s a valid session.
To ensure that users have to authenticate every time an app asks for a token, consider updating the sso_disabled flag at the application level using the Management API’s PATCH /api/v2/clients/{id} endpoint. See Update a Client for more details.
sso_disabled: boolean - true to disable Single Sign On, false otherwise (default: false)
If it is not needed to set to sso_disabled flag at the application/client level, one workaround would be to specify prompt=login with your authorization request. This will force the login prompt to be redisplayed. However, the original user’s session cookie is, in fact, still there. The prompt=login tells Auth0 to ignore it for this authorization request. If a malicious user with access to the machine re-issues the authorization request without the prompt=login parameter, the original user will still be automatically logged in.