How to implement S-SSO cross domain

peter.pb.budai · August 9, 2023, 3:33pm

Hello,

we have the following setup in our company. On our tenant we have multiple applications those are used by different teams and hosted on different domain.
In our project we have 3 application those are close together. They have the following hosting setup:

We have a requirement to implement Seamless-SSO between the applications, so
when the user is authenticated in one of the application, and switches to a different one, we would like to maintain the authenticated state by redirecting the user the login (where SSO takes place), and when the user is reaches the other application, then the user stays authenticated.

The problem is not the SSO (that is taken care by auth0. We use the same connection and also same tenant.), the “problem” or even more like the challenge, how to detect, that the user is already authenticated in the different application, so we could trigger the authentication.

I spent the last couple of days reading the different community topics, and auth0 documentation to see what are possible options.

As I wrote, the tenant is used by different teams and applications, and so it is no possible to set the “common” custom domain (so please take this as a not possible option)
I checked, that if is possible to create “global” cookies with the help of auth0 actions and flows, but I saw, that the “api” in the script does not provide methods to do what I want. (and also I saw, that it is possible to inject other npm module dependencies, but I had no the time to try this yet. I am still on it) (Seems like it was possible with rules, but they will become deprecated, so I am not using them)
I tried, what happens if I trigger the silent authentication from a different app. But I always got “login required” error code back. (I tried with different sdks and different authorizationParams like prompt=none, but I received always “login required”.)
Is there any way to send a something like a “discovery” request, to see if the user is authenticated: a) against certain applications, or b) against the tenant in general. So basically with a request check whether there is a valid IdP Session for the user.

I know, that there is a way have a “general application”, from where we could perform the authentication, or “collect” the cookies, but I would like to know, if it possible what I wrote in the previous points (2., 3., 4.).

Thanks in advice
Peter

prateek.gupta · August 28, 2023, 7:43am

Is that issue solved ? Can you tell me How to implement SSO in AUth0 between two separate Angular applications using separate user databases registered in the same tenant.

peter.pb.budai · August 30, 2023, 7:28am

Hello again,
I did not receive any answer in the last 20 days. Is it okay, if auth0 is not able to provide the solution for the requested behavior. But please then let me know, because they we will search for different workarounds.
Thanks
Peter

sukru.avcuoglu · March 31, 2024, 9:36am

Hi,

Did you find a solution for this.
I also created a custom domain for authentication which is auth.y.com according to your sample. But still it does not work.

Thanks

rtlumb42 · April 1, 2024, 8:38am

Hi,

I also want an answer for this.

sukru.avcuoglu · April 22, 2024, 9:15am

The problem for me was:

I was using prompt=login option for loginWithRedirect. This will always show the login prompt even if there is a valid session on the server. Just removed prompt=login option and it works now.