Problem statement
I want my users to click the Auth0 App in Okta and login with SSO to the Auth0 Dashboard.
Cause
Idp-Initiated is not actually allowed in Dashboard SSO, so it’s a simulated experience in which there is a SP-Initiated but with a seamless experience that leads to the IdP in the first place.
Solution
- Hide the SAML app from users.
This means that you need to hide the SAML app you created for the Auth0 SSO integration from the users that need to access your Tenant from Okta.
- Create a Bookmark App that points to
https://manage.auth0.com/login?connection={assignedConnectionName}
. This is the application that users will be able to select to log in to.
If you click on that link, it will lead you to an Okta document with the title “Simulate an IdP-initiated flow with the Bookmark App” and that is what we’re doing here, simulating that we initiate the flow from Okta while under the hood we’re initiating this from Auth0, and you need to include this URL: https://manage.auth0.com/login?connection={yourSSOconnection} which is pointed to the Universal Login with your SSO connection.
When the users click here, they’ll be redirected to the Auth0 URL which, in turn, will redirect the users to the Okta Login so it will give the illusion that we’re starting the flow from Okta.
However, the above only operates as a user-friendly link to log your teammates into Auth0 Tenants. The actual configuration in the other application (the one you have now configured), should contain the callback URL in all the fields as follows: https://auth0.auth0.com/login/callback.
This application won’t do the work to log in from Okta, this is only for the SSO integration.
You can run your Dashboard SSO regardless of HRD (Home Realm Discovery), which is a separate feature. It allows users to log in from Auth0.com with their company email and be redirected to Okta when it detects your integration with your domain.
This is not enabled until you ask for, and the reason is that maybe you have the need to invite a lot of users to your Tenant with their email / password connection, and it’s more user-friendly to enable HRD after all the users are created. Then, with HRD enabled, you need to bypass the default SSO connection as it is explained here: