Bret, I think you have interesting questions.
In the first place, we must not lose sight of what SSO is, and this occurs when a user logs in to one application and is then signed in to other applications automatically, regardless of the platform, technology, or the domain the user is using. The user signs in only one time (hence the name of this feature).
A clear SSO example is Google’s implementation of login for their products, such as Gmail, YouTube, Google Analytics, and so on, is an example of SSO. Any user that is logged in to one of Google’s products are automatically logged in to their other products as well (and they have been successful in this implementation).
However, considering your original question for this post "Is Auth0 right for us?"
Keeping in mind Single Sign On usually makes use of a Central Service which orchestrates the single sign in between multiple clients, Auth0 facilitates the implementation of this scenario as follows:
In the case of SSO with Auth0, the Central Service is the Auth0 Authorization Server, so, let’s look at how the SSO flow looks when using Auth0 and a user visits its application for the first time:
In the case of SSO with Auth0, the Central Service is the Auth0 Authorization Server, so, let’s look at how the SSO flow looks when using Auth0 and a user visits your application for the first time:
Your application will redirect the user to the Auth0 Hosted Lock page where they can log in.
Auth0 will check to see whether there is an existing SSO cookie.
Because this is the first time the user visits this Hosted Lock page, and no SSO cookie is present, they may be presented with username and password fields and also possibly some Social Identity Providers such as LinkedIn, GitHub, etc. (The exact layout of the Lock screen will depend on the Identity Providers you have configured.
Once the user has logged in, Auth0 will set an SSO cookie
Auth0 will also redirect back to your web application and will return an id_token containing the identity of the user.
Finally, in response to your specific questions:
Should I be looking at Auth0 as a possible solution for us?
A- Of course, Auth0 provides you with the implementation of a stream for SSO, so if it is a possible solution for what you want to achieve.
If so, does that mean that auth0 would be store all of our customer’s credentials?
A- Yes, remember that for this scenario of SSO we need a Central Service, in this case, it would be the Auth0 Authorization Server that would be in charge of validating the credentials of the user who tries to access your different applications making a single login.
In other words, with the description of your organization model, I think Auth0 would help you a lot to simplify the implementation of SSO for you.