Hi there,
We have a NuxtJS front-end which uses the Nuxt community plugin to integrate Auth0 as a provider. Each customer has an Auth0 Organization, with the relevant authorisation methods they require (e.g. most just want email/pass and/or Google SSO, but others require other forms of SSO).
Using all of the official guides provided by Auth0 (Okta SAML & IdP-initiated config), we have attempted to integrate Okta SSO with SAML for one of our customers. On our UAT tenant the integration works as expected - we can sign in through both our front-end and through an Okta dashboard IdP-initiated session. On the prod tenant, signing in from our front-end also works fine, however, we are facing an issue where signing in through an Okta IdP-initiated session gets stuck in an infinite loop of redirects. This happens no matter what settings we change in Auth0 in terms of the IdP Response Protocol and Query String etc.
The front-end framework we are using doesn’t seem to have the option of setting the __enableIdPInitiatedLogin value as described for Lock/Auth0.js since the framework doesn’t actually utilise Lock/Auth0.js.
The current flow looks like this after attempting to launch an IdP-initiated session from the Okta dashboard:
https://ourauth0domain.au.auth0.com/login/callback?connection=okta-customername
→ redirect (302)
→ https://ourauth0domain.au.auth0.com/authorize/resume?state=xxxxx
→ redirect (302)
→ https://ourauth0domain.au.auth0.com/login?state=someverylongstate&client=xxxxx&protocol=oauth2
#1 - At this point we are presented with the Okta SSO sign in, where we provide an email address (or click a button to proceed), which then initiates the redirect loop:
https://ourauth0domain.au.auth0.com/authorize?client_id=xxxxx&response_type=token&redirect_uri=https%3A%2F%2Fourdomain.com%2Fdashboard&scope=openid%20profile%20email&state=xxxxx&connection=okta-customername&is_submitting=false&sso=true&protocol=oauth2&_csrf=xxxxx&_intstate=deprecated&auth0Client=xxxxx
→ success (200)
#2 - This redirects to:
→ https://ouroktadomain.okta.com/app/ouroktasamlapp/xxxxx/sso/saml
→ success (200)
#3 - This redirects to:
https://ourauth0domain.au.auth0.com/login/callback?connection=okta-customername
→ redirect (302)
→ https://ourauth0domain.au.auth0.com/authorize/resume?state=xxxxx
→ success (200)
Once again, this redirects back to #2.
We have tried all sorts of config changes including allowed callback URLs, identity provider domains, response types etc. These seem to make minor differences, but nothing resolves the redirect loop. For what it’s worth, the IdP-Initiated SSO settings that work on the UAT tenant are set to Response Protocol = OpenID Connect and Query String = response_type=token.
Any ideas?
Regards,
Aleks