The first time I go to my hosted login page via the /authorize url, I see a nice lock like I expect, but as soon as I have logged in it appears that the auth0 server remembers this. So if I try to go there again, I am immediately redirected (302) back to my page as if I entered the same username and password. If I clear the cookie for my hosted login page, it works again. This doesn’t happen on my old tenant but I can’t see any differences in settings that could be causing this. Does anyone have ideas how to debug this?
New tenants have “Seamless SSO” enabled by default, where the hosted login page will be skipped completely if the user has a valid session at Auth0 (the previous behavior was to get a “Last time you logged in with …” button in Lock that allowed the user to click and login without entering credentials again, effectively using the existing session).
You can make an old tenant behave like new tenants by using the “Enable Seamless SSO” option (see https://auth0.com/docs/sso/current/setup#addendum-sso-configuration-for-legacy-tenants), but you can’t make new tenants behave like old tenants.
What you can do, if it make sense for your use case, is reduce the duration of the Auth0 session. Applications can also force the login page to be displayed by using the
prompt=login parameter on the authentication response.