Problem statement
The SSO across two applications stopped working with the Organization feature.
Expected behavior:
Once a user logs in to Application A with a username/password, the user should be able to log into Application B without being prompted for the credentials.
Actual behavior:
The user logged in to Application A with a username/password. When the same user hit the login endpoint of Application B, they were asked for the credentials again.
Symptoms
See the “Actual behavior” in the problem statement section.
The network logs indicate that the applications use the Organization feature, and end users were asked for the Organization to use upon logging in.
Cause
The Login Flow was set to “Prompt For Organization.”
The Universal Login Experience will ask for the Organization and then user credentials if the “organization” parameter is not specified upon making a request.
Solution
There are two possible solutions.
- Use “Prompt For Credentials”
- If the user belongs to one single organization:
- The user won’t be prompted for Organization upon SSO
- If the user belongs to multiple organizations:
- The user has to choose which organization to use upon logging in. However, the user will not have to input the username and password again.
- Pass the “organization” parameter to the /authorize endpoint if the application knows which organization to use beforehand. (Organization ID, not the name.)