As long as the applications share the same set of enabled connections then SSO is possible independently of the fact that the applications use different protocols when talking to the identity provider (Auth0). However, there’s a few possible caveats depending on the exact flows (not strictly protocols) being used.
Having said that the following should allow for SSO:
- have the same connections enabled for both applications.
- application A initiates an OIDC request to the authorize endpoint.
- the universal login page is shown and the end-user authenticates either with username/password or another upstream identity provider.
- application A receives an OIDC response.
- application B performs a SAML SP-Initiated authentication request.
- due to the presence of an authenticated session the end-user will not have to actively authenticate and a SAML response can be returned.