SSO - Unexpected Login Prompt When Redirecting from App-B (Auth0) to App-A (Cognito) via OIDC Federation

I am new to SSO and trying to integrate SSO from App-B to App-A using OIDC federation, where:

• App-B uses Auth0 as its Identity Provider (IdP)
• App-A uses Amazon Cognito as its IdP
• Cognito is configured to federate with Auth0 as an external OIDC IdP
• The OIDC connection is working — the correct issuer URL, client ID, client secret, and endpoints from Auth0 are set in Cognito.

Issue:

1. A user logs into App-B(app-b.com) using App-B’s custom login screen (not Auth0’s Universal Login).
2. The user then clicks a link from App-B to access App-A(app-a.com).
3. This triggers Cognito to redirect the user to Auth0 (the configured OIDC IdP).
4. However, the user is then shown Auth0’s universal login screen (e.g. https://dev-rtzntglnlqlrabap.us.auth0.com/u/login), rather than being seamlessly redirected into App-A.

Expectation:

Since the user is already authenticated in App-B (which uses Auth0 behind the scenes), we expected the SSO flow to proceed without showing the Auth0 login screen again when redirecting to App-A via Cognito.

What We Suspect:

We understand that:

• App-B uses a custom login screen(app-b.com/login), not Auth0’s Universal Login.
• Therefore, no Auth0 session cookie is created.
• As a result, when Cognito redirects to Auth0 for login(e.g. https://dev-rtzntglnlqlrabap.us.auth0.com/u/login, Auth0 does not detect an existing session and prompts for credentials again.

Question:

How should I resolve the issue in this scenario to achieve SSO between App-B (Auth0) and App-A (Cognito), when:

• App-B uses a custom login screen (not Universal Login)
• We want users already logged in to App-B to seamlessly access App-A via the federated
• Auth0 → Cognito flow

App-A’s cognito has little control and we want to make the changes in App-B(auth0) and custom login screen.

Hi @neodev,

Welcome to the Auth0 Community!

Apologies for the delayed reply.

The core of the issue is that your custom login flow for App-B authenticates the user but doesn’t create a Single Sign-On (SSO) session at the Auth0 level. When Cognito redirects to Auth0, Auth0 has no record of an active session and therefore must ask the user to authenticate again.

The recommended solution is to adjust your custom login flow to use Auth0’s Cross-Origin Authentication. This allows you to keep your custom login UI hosted on your domain while still establishing the necessary SSO session cookie on the Auth0 domain upon successful login.

To achieve seamless SSO while keeping your custom UI, you can implement the Cross-Origin Authentication flow. This involves changing your custom login form to post the user’s credentials directly to Auth0.

Here’s a step-by-step guide:

Step 1: Configure Your Auth0 Application

1. Go to your Auth0 Dashboard > Applications > Applications and select the application used by App-B.
2. In the “Application URIs” section, add the origin of your custom login page (e.g., https://app-b.com) to the Allowed Web Origins list.
3. Ensure you have a URL for App-B registered in the Allowed Callback URLs list (e.g., https://app-b.com/callback). This is where Auth0 will send the user back after they log in.

Step 2: Modify Your Custom Login Form

Adjust your login form’s HTML to POST directly to the /usernamepassword/login endpoint on your Auth0 domain. You will need to include several hidden fields to pass the required OIDC parameters.

<form
  method="POST"
  action="https://YOUR_AUTH0_DOMAIN/usernamepassword/login"
>
  <input type="text" name="username" placeholder="Email" />
  <input type="password" name="password" placeholder="Password" />

  <input type="hidden" name="client_id" value="YOUR_APP_B_CLIENT_ID" />
  <input type="hidden" name="redirect_uri" value="https://app-b.com/callback" />
  <input type="hidden" name="connection" value="YOUR_DATABASE_CONNECTION_NAME" />
  <input type="hidden" name="response_type" value="code" />
  <input type="hidden" name="scope" value="openid profile email" />
  
  <input type="hidden" name="state" value="YOUR_SECURE_RANDOM_STATE" />

  <button type="submit">Log In</button>
</form>

Step 3: Handle the Callback in App-B

When the user submits the form:

1. The browser posts the credentials directly to Auth0.
2. Auth0 validates them, sets the SSO session cookie on the Auth0 domain, and redirects the user back to your redirect_uri (https://app-b.com/callback) with an authorization code in the URL query string.
3. Your backend code at this callback endpoint must now exchange this authorization code for tokens (ID, Access, and Refresh) by making a POST request to the /oauth/token endpoint.

After this flow is complete, the user is logged into App-B, and more importantly, the Auth0 SSO cookie is set. Now, when the user navigates to App-A, the redirect to Auth0 will be seamless.

If you have any other questions, feel free to reach out!

Have a good one,
Vlad

THanks @vlad.murarasu for the quick response. This looks interesting. We will try it out and let you know if in case we face any issues.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.