SSO: why do I get directed to my Auth0 IDP tenant when an SSO tenant auth0 session cookie is present?

I’m trying to create a SSO implementation for two applications that have separate user pools, so far I have successfully:

  • created a SSO tenant
  • created 2 IDP tenants, one for each app, which connect to that apps user pool via a custom db connection to authenticate users
  • created SAML connections between the SSO and IDPs
  • enabled those SAML connections for a client app in the SSO - theres an SSO client app for each of my 2 apps
  • been able to log into each app via our SSO tenant - which redirects to the appropriate IDP and then creates a user profile for each IDP the user logs in with
  • been able to link the two user profiles in the SSO tenant

Problem: The last step I’m having trouble with is after successfully logging into app1, then loading app2 (in same browser session, tried incognito as well) I am prompted to login through app2’s IDP tenant.

I am expecting my SSO tenant to use the auth0 session cookie obtained from logging into app1, so the user does not have to log in to app2.

I have read 2 conflicting pieces of information (through chatGPT)

  • If you supply a connection param on the authorize call to the SSO tenant, then the auth0 session cookie is ignored and the user is forced to log in through the IDP supplied in the connection param
  • SSO tenant will always firstly read the auth0 session cookie regardless if the connection param is supplied on the authorize call

Troubleshooting I have done thus far:

  • Confirmed the auth0 cookie (generated when I logged into app1) is sent on the SSO authorize call made by app2.
  • Confirmed the auth0 session cookie created by app1 is set to same domain as app2 SSO authorize call
  • Confirmed each SSO client app has the correct callbacks, allowed web origins etc etc.
  • Removed the connection param when an auth0 session token is present but SSO returns a “no connections enabled for the client” error

Any help would be much appreciated!

To implement SSO between two applications with separate user pools, you’ve already completed several steps successfully. However, you’re facing an issue where, after logging into app1 and loading app2 in the same browser session, you’re prompted to log in again.

Here are a few suggestions to troubleshoot the problem:

  1. Check SSO Configuration: Ensure that the SSO tenant and SSO client apps are properly configured. Verify that the SSO client apps have the correct callbacks and allowed web origins.

  2. Verify Auth0 Session Cookie: Confirm that the auth0 session cookie generated when logging into app1 is being sent on the SSO authorize call made by app2. You can inspect the network requests in your browser’s developer tools to check the cookies being sent.

  3. Validate Cookie Domain: Ensure that the auth0 session cookie created by app1 has the same domain as the SSO authorize call made by app2. They should be set to the same domain to ensure that the cookie can be shared between the applications.

  4. Connection Parameter: If you’re including the connection parameter in the authorize call to the SSO tenant, it might override the auth0 session cookie. Try removing the connection parameter when an auth0 session token is present.