Silent SSO across two Auth0 tenants (Universal Login / ACUL) - prompt=none keeps getting overridden

Get Help
,
1

Hi everyone,

I’m trying to implement a silent SSO flow across two Auth0 tenants and I feel like I’m either missing a configuration option or hitting a limitation that isn’t very obvious from the docs.

High-level setup

  • Tenant A

    • Used by a Shopify storefront

    • Login must always initiate from Shopify (business requirement)

  • Tenant B

    • Hosts a separate identity system

    • Users may already have an active session here

  • Tenants are federated via Auth0 OIDC

  • Using Universal Login

  • Experimenting with ACUL (Advanced Customizations for Universal Login), but would prefer to avoid it if Universal Login alone can handle this

What we want to achieve

  1. Users always start login from Shopify (Tenant A)

  2. If the user already has an active session in Tenant B, we want:

    • No extra login prompt

    • No visible “Continue with X” / identity selection UI

    • Seamless authentication back into Tenant A

  3. In other words: true silent SSO across tenants

What works so far

  • Using ACUL + React SDK, we can:

    • Pass hints/params into /authorize (e.g. login_hint)

    • Detect those parameters in the ACUL code

    • Automatically trigger authentication against Tenant B

  • This lets us hide the secondary IdP button and avoid exposing it to all users

The core problem

Even when the user already has an active session in Tenant B, they are still forced to re-authenticate.

We identified that using:

/authorize?...&prompt=none

should allow silent authentication if a session exists.

However:

  • We cannot reliably force prompt=none

  • Auth0 keeps rewriting the request to prompt=login

  • This happens even when:

    • Initiating from Universal Login

    • Attempting to pass it through ACUL

    • Manually triggering flows that eventually redirect to /authorize

Things we tried

  • Passing prompt=none via:

    • ACUL React SDK

    • Custom redirects

  • Manually triggering login by POSTing to:

    /u/login/password

    and letting Auth0 redirect to /authorize

  • Attempting to intercept the redirect to inject prompt=none

The issue is that in the browser, we can’t:

  • Intercept the Location header

  • Modify the redirected /authorize request before it happens

Current (undesired) workaround idea

The only solution that seems possible right now is:

  • Introduce a backend/microservice

  • Have it:

    • Initiate the login request

    • Capture the redirect response

    • Modify the /authorize URL to inject prompt=none

    • Redirect the browser manually

This feels overly complex for something that seems like a common silent SSO use case.

What I’m hoping to learn

  • Is there a tenant-level or application-level setting that:

    • Forces silent authentication (prompt=none) when federating to a specific IdP or tenant?

  • Is Auth0 intentionally overriding prompt=none in certain Universal Login or cross-tenant scenarios?

  • Is ACUL actually required for this use case, or am I missing a simpler Universal Login configuration?

  • Is there a recommended pattern for silent SSO across Auth0 tenants that avoids browser hacks or middleware services?

Any guidance, confirmation of limitations, or pointers to the “correct” Auth0 way of doing this would be hugely appreciated.

Thanks!

3

Hi @jamal.badawi

Welcome to the Auth0 Community!

Please allow me some time to research into this and I will return with an update in a timely manner.

Best regards,
Gerald

4

Got a workaround through Managment API. I’ll post the details later :slight_smile:
Thank you though.

1 Like
5

Hi @jamal.badawi

Glad to hear that you were able to get it sorted out! Definitely sharing these details can help out other Community members, thank you!

Have a great one!
Gerald