SSO Not Working with Organizations

tim.becker · February 22, 2023, 4:42pm

Hello. We have implemented Organizations as described here: Invite-only - Allow signup from invited but no one else

SPAs
require organization to login
display org prompt
No connections enabled on the SPA, only on the org

However, this seems to break SSO. We are using Universal Login and SSO was working before, we could sign into one app and were signed in everywhere else.

This is especially disruptive with the added org prompt. Because of how our apps link to each other, users are having to sign in 3 times in some cases, which is very cumbersome.

Is this expected behavior? Is there any way to get SSO back, or do we need to find another way to solve our user case that doesn’t use organizations?

tim.becker · March 13, 2023, 3:31pm

It looks like if we specify the organization ID in the React component we use, SSO works.

<Auth0Provider
  organization='org_xxxxxxxxxxxxxxxx'
  domain={auth0Url}
  clientId={auth0ClientId}
  audience={auth0Audience}>
  ...
</Auth0Provider>

I am guessing this is all because the cookie on the Auth Server (as explained in this article) is organization specific.

Unfortunately, we don’t know what org the user belongs to prior to login. We are exploring different approaches that might solve this for our case, but the solutions listed in this comment would probably also help us out a ton: Support/Replace Organization prompt screen with "choose organization" during login - #17 by adam.housman

Is there a reason the cookie needs to be organization specific? Any suggestions that would make it so SSO just works in our use case, without having to specify the organization?

kalithasan · March 20, 2023, 11:09am

I am facing the same issue still. But I am using one spring boot web app with “spring-boot-starter-oauth2-client” dependency and two SPA.

After added organization prompt to get org name, SSO is not working.

I need to enter org name and user credentials all the places.

Is there any fix for this ?

tim.becker · March 20, 2023, 3:50pm

We are now setting the org ID as a cookie whenever someone logs in, then clearing it when they log out. This fixes SSO for us by making the provider organization-aware.

It also serves as a sort of “remember me” for the organization prompt, which is a nice side effect.

Note: We haven’t fully rolled this out yet, but we have tested it enough to be confident it’ll work.

<Auth0Provider
      ...
      onRedirectCallback={(appState?: AppState, user?: User) => {
        if (user && user.org_id) {
          // using js-cookie
          Cookies.set('auth0OrgId', user.org_id, { domain: cookieDomain })
        }
        navigate((appState && appState.returnTo) ?? window.location.pathname)
      }}
      authorizationParams={{
        clientId: auth0ClientId,
        audience: auth0Audience,
        domain: auth0Url,
        organization: Cookies.get('auth0OrgId') ?? undefined,
        ...
      }}
      ...
>

If you are using the same client ID, this solution might be easier for you: How to login once across multiple subdomains on a custom domain?

I would still like an officially supported Auth0 feature for this, but since it’s going to work for our case, I am marking this as the solution.

kalithasan · March 22, 2023, 5:42pm

Thank you @tim.becker . I think this will help me.
and

I have spring boot web app where I am using “spring-boot-starter-oauth2-client” which will trigger the authorization internally. I think we won’t be able to add parameters.

Is there any solution to work multiple spring mvc app with SSO when organization is enabled ?

system · April 5, 2023, 5:43pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.