SAML login not working properly when `connection` included in the /authorize request

Problem statement

We are doing the IdP-initiated login through Auth0. The flow is as follows:

  1. The user logs into the IdP
  2. IdP sends a request to Auth0
  3. Auth0 authenticates them and redirects them back to our client using OIDC (including code)
  4. The client sees the user as unauthenticated and sends an /authorize request including the code from step 3.
  5. Auth0 responds to the callback with a valid token

This works fine when the /authorize request ONLY includes an organization. However, when we code the client to include organization AND connection, Auth0 redirects the user to the Sign In Url.

Why does this work properly when only Organization is included but not Organization and Connection?

Cause

When an /authorize request includes a ‘connection’ parameter, Auth0 will always redirect the user to the upstream IdP by design. Some IdPs may send the user back seamlessly, but others may show the login page.

Solution

If you want to log in with an existing session, the application should omit the ‘connection’ parameter when making the /authorize request. This is also one less logic for the application to handle, as it doesn’t need to be aware of which connection was used by the user.

The presence or absence of the ‘organization’ parameter should not change this behavior.