Feature: Remove Auth0 Internal Cookie Requirement During SSO
Description:
Due to Auth0’s use of cookies to maintain state inside of an internal redirect, we cannot use it in a cross-domain iFrame in Safari. Safari Intelligent Tracking Prevention will delete the cookies and Auth0 will present an error message. The desired work around is for Auth0 to avoid using cookies to maintain state between pages so that Safari ITP doesn’t break Auth0 inside of the cross-domain iframe.
Use-case:
We are hosting a multi-tenant solution that authenticates users through Auth0. Our users will be logged into many different websites with different URLs. They will click a link that initiates a SAML SSO IdP-Initiated assertion to a SAML Connection/Authentication at Auth0.
This occurs inside of iFrame and the domain of the surrounding frame must be different than the Auth0 domain. Since the domain of the iframe cannot match the domain of our Auth0 tenant, Safari Intelligent Tracking prevention will delete/not set any cookies that are set by Auth0.
The error is occurring when Auth0 is internally redirecting between these two URLs:
https://extole.auth0.com/login/callback?connection=Client-Connection-SAML →
https://extole.auth0.com/authorize/resume?state=K6ddWMRczRTM-7yQkJiHTS7zxXJGVHdQ
Because the Auth0 instance is in a cross-site iframe, Safari ITP is blocking and not persisting the following two cookies:
did=s:v0:1e468870-0c62-11ec-852f-b9849d34923b.Gcp/sh59HmUrpVb2Eh1Ma/NbHfuLM/moonYsE92KiDk
auth0=s:WGv-GT5P2csdcWG2QG1DM0tWs2P-_viS.h6o2VFJO4u2bZ8VykhUCLiL+x7dux1Co1JvbuYJBypU
Since the Auth0 cookies are not persisted, it causes Auth0 to show an error page that state has been lost.
Tracked as a support ticket as well: Auth0 Support Center