Help understanding why "Last time you logged in with" is appearing as opposed to being authenticated and relayed onwards

Hi,

I am working with a Service Provider who I have discovered is using Auth0’s services to accommodate an SSO process from my application into their own. I am acting as the Identify Provider. The problem I am having is I am being stopped at the client’s Auth0 login page with the following message: “Last time you logged in with”, where the Email address I passed via SAML is presented within a grey button.

Can someone please help me understand why I might be presented with this message as opposed to being authenticated and relayed/directed onward to the client facing application?

If it helps to make things more clear, I am using an IdP-initiated solution, thereby first sending a SAML Assertion which contains the relevant attributes (NameID, Email) to the Service Provider’s ACS URL: (https://{example}.eu.auth0.com/login/callback?connection={example}).

Is there something that the provider who owns the Auth0 integration may have to configure at their side to circumvent this “Last time you logged in with” page thereby allowing the authentication to continue?

I am seeking help because the provider has let me know that the issue is likely on my (IdP) side.

I hope I’m allowed to post this! Apologies if I am wrong. Thanks in advance!

UPDATE: Success! I was able to intercept the Authentication request and append “prompt=none” to the request which I found mentioned in other tickets on this forum, this has allowed the “Last time you logged in with” to be bypassed and I’m successfully logged in!

I will contact the service provider to see if this is something they can configure within their Auth0 environment… Hopefully it is!

The usage of IdP-Initiated is likely indeed one of the factors that causes this weird outcome. The prompt=none option would indeed signal that user interface should not be shown for this particular request and the response should be given immediately (either a success response if a suitable session exists or an error response).

Although that parameter could mitigate the situation, the recommendation could be adopting a somewhat different flow alltogether.

Do you use IdP-Initiated because you as an IdP only support this flow or simply because you want users to start on your side and click a link/button/image (something) that leads to them getting logged in the respective application? If it’s the latter this could potentially be achieved while still using an SP-Initiated flow and in this way possibly bypass the screen you mention as well.