Samlp endpoint doesn't care that a user's already logged in

After googling around, reading the Auth0 docs (which are of no use, because anything I find is outdated) and forums for hours trying to resolve my issue, I’ve yet to find anything.

Previously, I’ve used a hidden iframe with the URL set to https://<MY_APPLICATION_URL>/samlp/<CLIENT_ID> as instructed by the Saml2 web app addon in my applications dashboard, and it’s worked flawlessly, until recently, where it’s just broken completely.

In order to log a user in, I’m using the auth0-js library, and it’s updated to the latest version, as such:

const auth0 = new auth0.WebAuth({
	domain: process.env.REACT_APP_AUTH0_DOMAIN,
	clientID: process.env.REACT_APP_AUTH0_CLIENT_ID,
	redirectUri: process.env.REACT_APP_AUTH0_REDIRECT_URI,
	responseType: 'token id_token',
	scope: 'openid profile email',


This works perfectly fine to log the user in, and in order to get the SAML data, I’d expect Auth0 to know the user’s still logged in, as the samlp endpoint redirects to the universal login page.

But, it doesn’t.

It has no idea that the user’s logged in, meaning they have to login again, which isn’t something that they should have to do, seeing as they’ve already done so.

If the user does however login, they get redirected just fine.

As I’m out of options and have no idea what the hell is going wrong, I’m asking you here, and I hope for answers that aren’t just links to the docs, because again, the docs have no useful information for my scenario.


Using the /samlp endpoint redirects the user to the hosted login, which has no idea that the user is logged in.

Hello, @Sven65! Welcome back to the Auth0 Community :slight_smile:

I’m confused here. You mention using Auth0 as a SAML IdP. Yet, you show us Auth0.js code for an /authorize request, which, in turn, uses OIDC.

Could you please clarify what it is that you use that code for?