I’m trying to create a SSO implementation for two applications that have separate user pools, so far I have successfully:
- created a SSO tenant
- created 2 IDP tenants, one for each app, which connect to that apps user pool via a custom db connection to authenticate users
- created SAML connections between the SSO and IDPs
- enabled those SAML connections for a client app in the SSO - theres an SSO client app for each of my 2 apps
- been able to log into each app via our SSO tenant - which redirects to the appropriate IDP and then creates a user profile for each IDP the user logs in with
- been able to link the two user profiles in the SSO tenant
Problem: The last step I’m having trouble with is after successfully logging into app1, then loading app2 (in same browser session, tried incognito as well) I am prompted to login through app2’s IDP tenant.
I am expecting my SSO tenant to use the auth0 session cookie obtained from logging into app1, so the user does not have to log in to app2.
I have read 2 conflicting pieces of information (through chatGPT)
- If you supply a
connection
param on the authorize call to the SSO tenant, then the auth0 session cookie is ignored and the user is forced to log in through the IDP supplied in theconnection
param - SSO tenant will always firstly read the auth0 session cookie regardless if the
connection
param is supplied on the authorize call
Troubleshooting I have done thus far:
- Confirmed the auth0 cookie (generated when I logged into app1) is sent on the SSO authorize call made by app2.
- Confirmed the auth0 session cookie created by app1 is set to same domain as app2 SSO authorize call
- Confirmed each SSO client app has the correct callbacks, allowed web origins etc etc.
- Removed the connection param when an auth0 session token is present but SSO returns a “no connections enabled for the client” error
Any help would be much appreciated!