How to Achieve Seamless SSO with OIDC Enterprise Connection?

Hi Community!

I followed the Auth0 documentation for setting up an OIDC Enterprise Connection.

My goal is to achieve completely seamless SSO when a user logs into App1 (via IDP1) and then navigates to App2 (via IDP2, which is federated with IDP1).

What I Did:

  1. Configured the OIDC Enterprise Connection in IDP2, pointing to IDP1.
  2. Enabled the connection in App2 (IDP2).
  3. Ensured that all login URLs, callback URLs, and authentication settings align with the documentation.

To make it work, I had to go under Login Experience in the connection settings and either:
Check “Display connection as a button” → Users must click the button to trigger SSO.
Use “Identity Provider Domains” → Users must enter their email first, then it triggers SSO.

Both methods technically work, but they are not seamless, as they require user’s interaction.

Question:
How can I make the login process completely seamless, without requiring the user to either click a button or enter their email?

Is there a way to force the OIDC connection to automatically redirect?
Maybe I’m missing any specific settings that can achieve this? e.g.: Organizations?
Any guidance would be greatly appreciated!

I ended up updating the universal login code with a javascript to detect the button and auto click it. It’s a silly workaround, but it works.
Would still appreciate it if anyone could suggest a proper solution

Hi @yuriscom

Seamless SSO should be enabled by default on your tenant, the option to toggle it on/off is available for legacy tenants as mentioned in our documentation, meaning that your applications should have Seamless SSO between them if BOTH applications have the same database connection enabled. Otherwise, you may want to look into Silent Authentication if you want your applications to use different connections.
I would advise you to review this Knowledge Article regarding Seamless SSO.

If you have any other questions, feel free to let me know!

Kind Regards,
Nik

Hi Nik,
Thank you for your answer.

I think, however, that the button i’m talking about is showing before we reach the OIDC flow itself.

When the OIDC flow starts, it is using the silent authentication, totally getting what I need.

What I’m referring to is the connection button.

From the screenshots below you can see that it’s the step before we start the OIDC process just to give an option to the user to choose between possible options to login. If he choses to continue with the enterprise connection, then it will do the silent OIDC.

And I’m wondering if there’s a way to omit this screen directly continuing to the enterprise connection without user’s interaction. Right now I had to add a JS code in the universal login to auto-click it. But of course, it’s a workaround.

Hi again @yuriscom

Thanks you for explaining the situation!

Instead of having your JS code to click the button automatically as soon as the user reaches the login screen, have you attempted to redirect the user to a specific /authorize call where you pass in the connection optional parameter specifying your OIDC connection?

You can read more about that in our documentation for Add Login Using the Authorization Code Flow.

That should accomplish the same purpose as your code automatically clicking the button for the user and you should be able to hide the button completely since you will automatically redirect the user to the connection.

Let me know if that helps you solve the issue for your use case!

Kind Regards,
Nik

Thank you,
will check this as soon as i get a chance.
I’m resolving the issue in the meantime.