SPA + API and IdP initiated SSO


We have a SPA which is connected to a custom built back-end API. We had recently moved to auth0 and we have been using it for authentication for sometime. Auth0 returns access token etc and Auth0.js handles the authentication. For all API calls the access token is sent to the back-end API and everything’s working fine.

Recently SSO was also implemented and ADFS and okta connections work fine if we navigate to our application first and then login.

If we go to okta dashboard and click on our application (IdP initiated SSO) it does not work. The access token that we get is not a JWT and moreover the backend API cannot authenticate the user with that token.

Is there a way to get IdP initiated SSO to work in this scenario?

The issuance of access tokens for API’s you have defined in your dashboard is not supported as part of SAML IdP-Initiated flows. The recommendation, if possible, would be to not depend on SAML IdP-Initiated flows and instead make use of flows where the client application starts the process (SP-Initiated).

Have in mind that the above does not mean that the end-user needs to access the application directly as this can be achieved if:

  • the client application defined an URL that when accessed automatically initiates an authentication transaction for the required identity provider.
  • the dashboards in the identity providers can be updated to link to the above URL instead of initiating an SAML IdP-Initiated flow.

With the above, although with the overhead of some additional redirects, the user experience ends up being the name: an end-user clicks a link in the dashboard and it is automatically authenticated based on the identity with which they already are authenticated in the IdP dashboard.

If using IdP-Initiated flows is unavoidable then a possible alternative would be that after receiving an IdP-Initiated response initiate an authorization request /authorize for the requested API (audience parameter). This would allow the application to obtain a suitable access token and given the previous IdP-Initiated flow established a session in the Auth0 tenant domain the end-user would not have to actively provide credentials.