A little background on my current configuration. Users of the application are authenticated through an Auth0 SPA application which has an Auth0 database connection active and uses the OpenID Connect authentication flow. Now we have a user set that needs to authenticate through a customer owned Okta (IdP) with SAML2. I have created a new Auth0 SAMLP connection configured (SP) to talk to the Okta (IdP) and linked the connection through a new Auth0 SPA application as described here. If I go through my application’s normal login flow using the Auth0 hosted login (SP) I am presented with an SSO challenge to authenticate with Okta (IdP). This flow is working as expected.
I would like to get the IdP initiated SSO flow to work as well. I followed this guide. I think I am pretty close to having it work but the access token I receive back from Okta seems to be invalid. For example the access token looks like this “G-3gMBs1kzY5Q8D0zKy06cIz7hRXfqu3” in the hash. The other issue I found through debugging the auth0-js library was it seems to be expecting an id_token which was not coming through. I was able to solve this by setting the response_type=token id_token in the IdP initiated settings on my SAMLP connection. After doing that I get a valid id_token back I can parse at jwt.io and verify its my user information. I am a little confused about what to set as the response protocol in the IdP initiated SSO settings for my connection. It seems like it should be what my application uses to authenticate to Auth0 which in my case is OpenID Connect. I have it setup this way currently. I did try setting it to SAML but having it setup that way seemed like Okta was only passing through the code exchange which I am not handling that flow.
I would like to keep my core application authenticating with Auth0 using the OpenID Connect flow, but also have the ability to add enterprise SAML2, Ping Federate, etc… connections working with Auth0 as the SP and have the ability to implement the IdP initiated flow. Honestly I am not a security expert but am currently under the impression that Auth0 would act as the universal token manager for my application across connection types. However, when I try with the IdP initiated flow maybe it doesn’t work this way.
Any help would be greatly appreciated!