Implement SSO between multiple applications with different domains. Is it possible via Auth0?

I have two applications: Ninja and Samurai.

• Ninja is a multi-tenant application hosted under ninja.com, running on a single web server for all customers.

• Samurai, on the other hand, is a single-tenant application, where each customer has its own subdomain and web server (e.g., customer1.samurai.com, customer2.samurai.com, etc.).

I would like to implement Single Sign-On (SSO) between Ninja and Samurai. Specifically:

• If a user logs in to customer1.samurai.com, they should also be authenticated on ninja.com without needing to re-enter their credentials, and vice versa.

Additionally, after login, I need to retain user claims, as these claims determine the application’s logic flow. For example, a claim might indicate the organization the user belongs to. This is especially important for ninja.com (a multi-tenant app), where I want to display only data relevant to the signed-in user’s organization.

Is this possible to achieve using Auth0?

Hi @mostafa.moniem90

Welcome to the Auth0 Community!

SSO between application should work seamlessly as long as both applications have the same database connection enabled for user storage. In that case, an user already authenticated through App1 will be already logged in into App2 with the same user profile.

You can read more about that in this here:

• How to Achieve Single Sign-On (SSO) Between Applications
• How to Implement SSO for Multiple Applications

If you have any other questions, feel free to leave a reply!

Kind Regards,
Nik

Hi @nik.baleca

Many thanks for your reply!

Both apps have their own/individual databases, but I do have a mechanism to sync users across both. So, no worries from that side. What I am really trying to achieve is below scenario:

1- A user logs in to customer1.samurai.com, gets authenticated via Auth0. gets redirected back to customer1.samurai.com, Samurai app will have several customers, each has its own subdomain (customer2.samurai.com, customer3.samurai.com, etc.)

2- After a successful login, the users is redirected back to Samurai app with the correct subdomain.

3- Now, the user navigates to Ninja app (ninja.com), gets redirected to Auth0 for authentication, Auth0 identifies that the user is signed in already, so Auth0 would redirect the user back to ninja.com with a valid token, without asking the user to re-enter the credentials.

4- And vice versa, a user can login to Ninja app first and then navigate to Samurai app.

Please note that:

1- Samurai app is a single tenant application, each customer has its own deployment, web server, and can access the app via a subdomain.
2- Ninja is a multi-tenant app, and all users from all Samurai apps are registered there, but as mentioned, I do have a mechanism for syncing users.
3- Samurai and Ninja apps do not share a parent domain.

So, my worries are more about SSO, and that a user signed in to one of the apps, can navigate to the other without re-entering credentials again on Auth0 and that Auth0 will just redirect back with a valid token.

So, is this something that can be achieved by using Auth0?
Thanks in advance.

Hi again,

To answer your questions.

For the Ninja App, if the app is a multi-tenant one, SSO will not work between the applications. However, I am not 100% sure in the instance that, the application has an instance on the same Auth0 tenant, SSO might be possible between the applications. If the Ninja App is on a different tenant, SSO will not be possible unless the tenant for the Ninja App is used as IDP for the Samurai App.

In order for the applications to have SSO between them they must have the same database connection enabled on the Auth0 tenant. Even if the users are synced between the different database connections, that might not allow them to have SSO between them since the application do not share that common database and the users are only synced. If the applications have on the same tenant 2 different databases and there is a 3rd one which syncs users from both applications, in that case the SSO will work as expected between them. If the databases are only synced and the applications do not share a common one, SSO will not work.
Otherwise, since the Ninja App is a multi-tenant app but it does not have multiple subdomains as the Samurai App, if you have an instance of the Ninja App on the same tenant as the Samurai App and both of these applications have the users synced through a 3rd database which is enabled on both applications, SSO should theoretically work between these applications.

As I have explained above, in theory, this use cause should be possible if the above conditions are met, however, I would recommend to first test the configuration and integration of these apps within Auth0 to see if the proposed solution above is possible. Due to the behaviour of multi-tenant apps, I cannot provide a guaranteed answer that this is possible. In most cases, a multi-tenant SSO is not possible within Auth0 and would require a custom implementation for it to work and it is not something Auth0 provides out-of-the-box.

I hope you find the explanation above useful. If I can help with any other questions, let me know.

Kind Regards,
Nik