Single Sign On - Not Working

Please bear with me, since I’m not a developer or programmer. However I think the following should be really basic and it just won’t work. Any advice gratefully received!

I have two applications: one that connects to a learning management system with Auth0 integration built in (its set up and tested and works). The second is a WordPress site with the Auth0 plugin. Again, it works and has been tested.

Both are under the same tenant and both have their own DB connection. The problem is, neither recognises that you’ve logged into the other one.

For example, I go to the first, login with Auth0 and it logs me in. I go to the second and it asks me to login again using Auth0. It doesn’t recognised that I’m already logged in. I’ve tested it on different browsers and devices all of which has cookies enabled.

For the user profiles, I have the same email and password set up in each system. There are actually two profiles listed in the Auth0 user list (one for each connection - no idea if this is correct). Interestingly, one has both applications listed under the authorised applications, but the other only has the application that corresponds to its connection. However, it doesn’t matter which one you log into, it doesn’t recognise it on the second.

To be honest, I didn’t think it would be this hard to set up. All I want is to run two applications and have users be able to log into one and auto log into the other. Hours of scouring this forum and other resources seems to turn up zero help on how to actually do this.

Any thoughts?

Thanks in advance :slight_smile:

Both are under the same tenant and both have their own DB connection.

Why are they using two separate DB connections, instead of one?

That’s actually the reason that SSO doesn’t work in your scenario.
Because even though the user is logged into the first application using the first DB connection: since this first DB connection isn’t a valid user store for the second application, it wouldn’t allow access to the second application.

Somewhat related:

Ok, thank you for the information and for responding so quickly.

What confuses me is, I have one system (let’s call it the primary system) that the user account is created in (for that system). It has a setting to create that user profile in Auth0 - I’ve tested it and it works fine. I then want that same user to then have access to a secondary system which also has Auth0 (where they haven’t yet had a login created for them). This raises a number of questions for me:

How do I create the second account in the second system and then link it so that Auth0 knows that the same person needs to login to each account? I don’t get how this happens unless there are two DBs (in order to store the account details for each application).

If there is only one DB, how does Auth0 handle the fact that each system may have a different password? Also, Ive tried connecting both systems to one database and it doesn’t change anything. Can Auth0 create the user account in the secondary system for me? Or do I create it and then somehow link it to the primary account details (same email address)?

For the excerpt you provided above, are you meaning that the login has to happen on the same Auth0 domain (e.g. rae-gs.eu.auth0.com), or that each of the applications (i.e. the external systems) themselves need to be on the same domain? If its the former, then they are already configured like this (rae-gs.eu.auth0.com).

For the last part, “If different apps are using different clients/apps on the Auth0 dashboard, the connection user is authenticating should be enabled for all of these applications on the Auth0 dashboard.” I don’t understand what this means. Could you please help me understand what “the connection user is authenticating should be enabled for all of these applications”? Is this a setting somewhere.

Thanks for the support!

When looking at your tenant rae-gs.eu.auth0.com, I can only see one database connection, which is the default " Username-Password-Authentication", but I don’t see another one.

However, you mentioned that both applications have their own DB connection,

Both are under the same tenant and both have their own DB connection.

so there should be at least 2 DB connections. Or does that refer to a different tenant?


If there is only one DB, how does Auth0 handle the fact that each system may have a different password?

Why would there be two passwords for the same user in the first place? Isn’t the main point of SSO the exact opposite: wanting to offer a way so that the user does not need different systems for each website/system?


What confuses me is, I have one system (let’s call it the primary system) that the user account is created in (for that system).

Does this mean, you create a user with password in that system (learning system, or Wordpress), and then with the same username/password in Auth0? And therefore, does the password then not only reside in Auth0 but also in the other system?


In any case, what it should look like is that in Auth0 you register/create the two applications (one for the LMS, one for the Wordpress), then for each application in Auth0, you’d enable the same database connection, for example: Username-Password-Authentication (the default DB connection).

And the only place where passwords are stored, reset, etc. are within Auth0, not outside in any other system (such as LMS, Wordpress), because that’s the whole point of having a so-called federated login.


For the excerpt you provided above, are you meaning that the login has to happen on the same Auth0 domain (e.g. rae-gs.eu.auth0.com)

Yes, that ^^^

If its the former, then they are already configured like this (rae-gs.eu.auth0.com).

So, which application represents the LMS and which one represents the Wordpress?

In the mentioned tenant, I just found applications “RAE Systems” and “My App”, but “My App” isn’t configured with any callbacks so. And the “RAE Systems” app has callbacks and Allowed Origins configured, but as far as I can see, none of them point to a Wordpress system.

By the way: I think you have a typo in your first Allowed Origin domain, where it should be a . instead of a -


If it’s possible to create a test user with non-sensitive access which would allow testing the login, you can DM me and also let me know the public urls of LMS and Wordpress. Happy to take a look at the actual current login experience, as it might be easier to understand than just describing it in words.

Ok, so I have deleted the original secondary system and started from the beginning. Everything below is in the same tenant.

  1. I have a learning management system (LMS) in which the user is created (with a password set by that system) which is then passed into Auth0 to create a user profile. In my account this is called “RAE Systems”

  2. This LMS is connected to Auth0 as an application with the DB " Username-Password-Authentication". You can log in to the LMS using Auth0 with no problems. If a user needs to change their password in this primary system, it is facilitated via Auth0.

  3. I have a second system which is Wordpress running the Auth0 plugin. This is called “Flight Docs” This is connected to Auth0 using a second application which in turn has a connection to the same DB as above. Only 1 DB is now being used.

  4. At this stage, the user from the first system has not yet been set up as a user in the second system. The second system requires the user to have a login with a password.

My questions are now:

A. how should I go about creating the new user in the second system, knowing that it needs a password. Should this be an Auth0 action? In which case I need it to create the user in the correct role. Or is this something that is done directly into the second system, in which case how do I handle the set up of a password when the password resides in Auth0?

I will create a user in each system and DM you the details. However, these will be set up manually so I don’t know what will happen in Auth0 when I create them. I will use the same password for each if that helps.

Thanks, got the DM; see my DM reply, I suggest a quick call on Monday to explain a bit from a conceptual point of view, probably easiest.

I had a Zoom call with @contact12 for further clarification and setting this thread to resolved. No point keeping this open and it’s missing of course context from the call if continued.
We can “re-open” the discussion if needed.