Samlp endpoint doesn't care that a user's already logged in

Sven65 · July 27, 2020, 9:53am

After googling around, reading the Auth0 docs (which are of no use, because anything I find is outdated) and forums for hours trying to resolve my issue, I’ve yet to find anything.

Previously, I’ve used a hidden iframe with the URL set to https://<MY_APPLICATION_URL>/samlp/<CLIENT_ID> as instructed by the Saml2 web app addon in my applications dashboard, and it’s worked flawlessly, until recently, where it’s just broken completely.

In order to log a user in, I’m using the auth0-js library, and it’s updated to the latest version, as such:

const auth0 = new auth0.WebAuth({
	domain: process.env.REACT_APP_AUTH0_DOMAIN,
	clientID: process.env.REACT_APP_AUTH0_CLIENT_ID,
	redirectUri: process.env.REACT_APP_AUTH0_REDIRECT_URI,
	responseType: 'token id_token',
	scope: 'openid profile email',
})

auth0.authorize()

This works perfectly fine to log the user in, and in order to get the SAML data, I’d expect Auth0 to know the user’s still logged in, as the samlp endpoint redirects to the universal login page.

But, it doesn’t.

It has no idea that the user’s logged in, meaning they have to login again, which isn’t something that they should have to do, seeing as they’ve already done so.

If the user does however login, they get redirected just fine.

As I’m out of options and have no idea what the hell is going wrong, I’m asking you here, and I hope for answers that aren’t just links to the docs, because again, the docs have no useful information for my scenario.

TLDR;

Using the /samlp endpoint redirects the user to the hosted login, which has no idea that the user is logged in.

joseantonio.rey · September 5, 2020, 5:43pm

Hello, @Sven65! Welcome back to the Auth0 Community

I’m confused here. You mention using Auth0 as a SAML IdP. Yet, you show us Auth0.js code for an /authorize request, which, in turn, uses OIDC.

Could you please clarify what it is that you use that code for?

Thanks!

Sven65 · September 28, 2020, 7:55am

The provided code is the initial login request for Auth0, which redirects the user to the hosted single signon page.

After this, I want to silently use the /samlp endpoint to authenticate the user with auth0 to get an AWS token. To do this, I was using a hidden iframe with the URL set to https://<MY_APPLICATION_URL>/samlp/<CLIENT_ID>, which has worked flawlessly in the past, but it doesn’t work anymore.

What happens is that the user gets redirected to the login page as they’re supposed to, but the user needs to login again, despite having done so a minute prior. As the session expiry is set to 3600 seconds, I believe this isn’t the intended behavior.

I don’t want to redirect the user to the sso page in the main application either, as this would break the flow, and the loaded data.

joseantonio.rey · September 28, 2020, 2:44pm

Hello, @Sven65,

Thanks a lot for clarifying your question here!

Quick question. Are you using the same Client ID for all requests? Or are you going across applications? And, I assume that you’re doing all of these before the session (3600 secs) expires - right?

I’d be happy to continue taking a look at this, seems like you’re pointing out some interesting behavior.

Sven65 · October 12, 2020, 5:58am

Hi again!

As you’re suspecting, I am indeed using the same Client ID for all the requests, and within the expiry time for the session.