SSO Between Organizations and Auto-membership Not Working as Expected

Last Updated: Sep 9, 2024

Overview

There are two separate applications and two separate organizations, and both share the same connection with auto-membership enabled.

Setup:

  • One organization is configured with a SAML connection, and auto-membership is enabled.
  • Identifier First is enabled, and the domain is configured on the SAML connection for HRD.
  • The applications are configured with “Prompt for Credentials” under the Organizations tab.
  • The applications have the SAML connection enabled under the Connections tab.
  • The applications’ organization usage is set to “Both”, so both organization and individual users are allowed to login.
  • User 1 is currently not a member of either organization. When User 1 logs into app1 in the context of org1, it becomes a member of org1 (the session now exists with Auth0).
  • When User 1 proceeds to log into app2 in the context of org2 and needs to authenticate, it is not able to do so.
  • The blocker to SSO here appears to be the lack of membership on org2. When logging in via the SAML connection, the user is not added to the organization as a member despite having auto-membership enabled.

As per the document here:

  • “There may be scenarios in which you cannot determine a user’s desired organization prior to sending them to log in. In this case, you can use the aforementioned Prompt for Credentials flow but note that the user will only be granted membership in the organization if one and only one organization has this connection set as an enabled connection for the organization with auto-membership activated.”

Auto-membership should work without having to pass the organization_id as part of the /authorize request, but it is not working.

Applies To

  • SSO
  • Organizations
  • Auto - Membership
  • SAML Connection

Solution

For auto-membership to work in this scenario, the connection should only be enabled in the organization, so the connection at the application level should be disabled.

This is currently by design. The session check currently requires membership of an organization or the session is dropped. Changes to this behaviour is in our backlog so going forward we should be able to achieve SSO regardless of organization membership but there is no ETA for this just yet.