IdP initiated SSO when using Organizations

I’m integrating a SaaS app with Auth0 to abstract SAML integration for our customers, and we got the SP initiated flows in place, but I’m hitting a wall when trying to get the IdP initiated flow to work using Okta.

The Okta application is using the https://AUTH0_DOMAIN/login/callback?connection=CONNECTION_NAME post back URL, and the connection IdP-Initiated SSO settings are set to accept requests, but all the attempts to sign in from the IdP are failing with “parameter organization is required for this client”.

I’ve attempted to append a organization=ORGANIZATION_NAME to the post back URL query parameters without success.

Where does Auth0 expects me to set the organization parameter, and does it have to be the organization’s internal ID or just the name would be enough?

Hi @lmazza-remote , welcome to the community!

I’m afraid that at this time, Auth0 doesn’t support IdP Initiated logins with an Organization context. You would need to allow users to login without an organization to your client to get IdP initiated to work. But I believe native support of IdP Initiated with Organizations is something being considered by our Product team.

To workaround this, depending on your use case you may be able to configure your application to detect a user had not logged in with an organization context (e.g. via validating their tokens), and attempt a silent authentication with the relevant Organization parameter in place to get tokens in that context.

If that does not work for your use case, I would recommend raising a feature request here: Feedback

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

For anyone coming across this thread, IdP-initiated SSO with Organizations is supported and you can learn more here: Auth0 Changelog