Mostly thinking out loud here, but the target of the redirect rule will have to be an HTTP(S) endpoint so that target can also manage its own session (through cookies) to track the fact that this is an existing context.
This would imply that the redirect would still need to be triggered, but it would respond immediately if there’s already a context for the user which triggered it. This would make the context claim bound to the browser session by default and additionally you could bound it to a user identifier.
The flow would be something like this assuming we start with a fresh browser session:
- user access application and triggers a login.
- user completes authentication in Auth0.
- user gets redirected by rule.
- target of redirect rule has no existing session so generates new context and binds it to the browser session through a cookie an optionally associates it the user identifier that you can send when triggering redirect.
- user accesses second application and triggers a login.
- due to SSO, credentials are no longer requested but redirect rule is triggered.
- target of redirect rule checks that there is an existing context for this user and returns immediately with the same context.