Hello,
we have the following setup in our company. On our tenant we have multiple applications those are used by different teams and hosted on different domain.
In our project we have 3 application those are close together. They have the following hosting setup:
- app1: app1.x.y.com
- app2: app2.x.y.com
- app3: app3.y.com
We have a requirement to implement Seamless-SSO between the applications, so
when the user is authenticated in one of the application, and switches to a different one, we would like to maintain the authenticated state by redirecting the user the login (where SSO takes place), and when the user is reaches the other application, then the user stays authenticated.
The problem is not the SSO (that is taken care by auth0. We use the same connection and also same tenant.), the “problem” or even more like the challenge, how to detect, that the user is already authenticated in the different application, so we could trigger the authentication.
I spent the last couple of days reading the different community topics, and auth0 documentation to see what are possible options.
-
As I wrote, the tenant is used by different teams and applications, and so it is no possible to set the “common” custom domain (so please take this as a not possible option)
-
I checked, that if is possible to create “global” cookies with the help of auth0 actions and flows, but I saw, that the “api” in the script does not provide methods to do what I want. (and also I saw, that it is possible to inject other npm module dependencies, but I had no the time to try this yet. I am still on it) (Seems like it was possible with rules, but they will become deprecated, so I am not using them)
-
I tried, what happens if I trigger the silent authentication from a different app. But I always got “login required” error code back. (I tried with different sdks and different authorizationParams like prompt=none, but I received always “login required”.)
-
Is there any way to send a something like a “discovery” request, to see if the user is authenticated: a) against certain applications, or b) against the tenant in general. So basically with a request check whether there is a valid IdP Session for the user.
I know, that there is a way have a “general application”, from where we could perform the authentication, or “collect” the cookies, but I would like to know, if it possible what I wrote in the previous points (2., 3., 4.).
Thanks in advice
Peter