Feature: The ability to exchange an access token issued by Auth0 for a authenticated Auth0 IdP session for SAML SSO to external partners
Description: We are using Auth0/Okta CIC as our IdP for external SAML federations to external partners as well as the OAuth Authorization server for our Mobile and Web Application.
Our use case is our Native App used the Web based Auth0 universal login screens to login to the app, and uses Access and Refresh Tokens to access the application. with this login flow, in a browser view there is no session with Auth0. If a user then attempts to SSO to a partner Site, we need to go thru a “Saml Bridge” pattern to exchange the Access Token for a new session in the browser. This adds overhead to the process. It would be a great help if there was an API that could be called to directly exchange the access token for the Auth0 Session.
Previously in IBM SAM/SVA there was an endpoint that could be enabled to do this that we had used. I.e.:
https://www.ibm.com/docs/en/sva/10.0.6?topic=support-oauth-20-endpoints
Session endpoint
A URL where an access_token can be exchanged for a web session. The client uses the endpoint to obtain an authenticated web session for the resource owner that is typically used in hybrid mobile application scenarios.
Use-case: Tell us what you are building. How would the feedback/feature improve your experience?
The SAML Bridge is essentially another IdP invoked Federation into Auth0. He had to build a custom service that is a crude idp that would build a saml assertion to SSO into Auth0. This custom service builds the user identity from the the access token passed to the service. When the user then SAML SSOs into Auth0, we have another custom redirector app to then direct the user to the correct Outbound SAML App for the vendor federation. There is multiple custom services/apps that we need to build and support what could be a much simpler interaction for the outbound SAML federation.