We are now setting the org ID as a cookie whenever someone logs in, then clearing it when they log out. This fixes SSO for us by making the provider organization-aware.
It also serves as a sort of “remember me” for the organization prompt, which is a nice side effect.
Note: We haven’t fully rolled this out yet, but we have tested it enough to be confident it’ll work.
<Auth0Provider
...
onRedirectCallback={(appState?: AppState, user?: User) => {
if (user && user.org_id) {
// using js-cookie
Cookies.set('auth0OrgId', user.org_id, { domain: cookieDomain })
}
navigate((appState && appState.returnTo) ?? window.location.pathname)
}}
authorizationParams={{
clientId: auth0ClientId,
audience: auth0Audience,
domain: auth0Url,
organization: Cookies.get('auth0OrgId') ?? undefined,
...
}}
...
>
If you are using the same client ID, this solution might be easier for you: How to login once across multiple subdomains on a custom domain?
I would still like an officially supported Auth0 feature for this, but since it’s going to work for our case, I am marking this as the solution.