Silent Authentication with SAML SSO

We use Auth0 as SAML IdP (users in Auth0 database) with two client applications (SAML Service Providers). The goal is to have SSO between the two applications.

We use the hosted login page from Auth0 and SSO works:
user goes to the first application, gets redirected to login page, logs in, then when user goes to the second application, the Auth0 prompt shows up and user can confirm that he wants to proceed with the current identity to the second application.

The thing is that we would want to remove the prompt and have user access the second application without having to confirm that he wants to proceed with current identity.
Basically we would like to use Silent Authentication mentioned here: Single Sign-On
but in our case we use SAML and not OIDC - so the steps from the documentation do not work for us. Also silent authentication sounds quite restrictive as it leads to error in case where user is not logged in - instead we would like to show the login form when user is not logged in.

Is there a way to ensure “less-restrictive silent auth” with SAML? We used a different SAML IdP in the past and it redirected to the target application without the prompt so we would want to keep the same behavior.

1 Like

The information that I have at the moment is that the behavior you describe about not being prompted at all is what we will want to have in the future by default. As you described for OIDC there is a supported and standard way to pretty much achieve that same behavior even if in the case of the end-user not being logged in this would require two requests instead of just one.

For SAML the situation is a bit different, however, depending on your situation there may be something possible. In particular, if the SSO between the two client applications is based on a single database connection then instead of using https://{your_domain}.auth0.com/samlp/{client_id} as the login URL you can use https://{your_domain}.auth0.com/samlp/{client_id}?connection={your_db_connection_name}. From a quick test the inclusion of that additional parameter gave me the desired behavior; have in mind I could not find any formal documentation on this, but given the no prompt behavior is what lies ahead the use of this parameters seems low risk.


Update: it seems as somewhat implied in the original answer that the lack of documentation for the additional connection parameter is an important part to consider when reading this answer, because from more recent tests it seems that there may be situations where not having the parameter leads to the desired behavior while including it means additional user interface is shown.

1 Like

Thank you. It seems to work as desired when connection parameter is used.

And adding implementation tip for Spring users - OpenSAML library removes the query params see java - Query string not preserved in SAML HTTP Redirect binding - Stack Overflow - so passing it is not straightforward…

Is there anywhere to track the progress of this? The scenario described is exactly what we want to achieve as well and it would be helpful to keep tabs on when/if this is going to be implemented out of the box.

As a heads up, the query parameter stripping by OpenSAML will be fixed in 3.4.0 (pending release) per the issue filed: [OSJ-243] - Shibboleth Jira