I’m trying to create a SSO implementation for two applications that have separate user pools, so far I have successfully:
- created a SSO tenant
- created 2 IDP tenants, one for each app, which connect to that apps user pool via a custom db connection to authenticate users
- created SAML connections between the SSO and IDPs
- enabled those SAML connections for a client app in the SSO - theres an SSO client app for each of my 2 apps
- been able to log into each app via our SSO tenant - which redirects to the appropriate IDP and then creates a user profile for each IDP the user logs in with
- been able to link the two user profiles in the SSO tenant
Problem: The last step I’m having trouble with is after successfully logging into app1, then loading app2 (in same browser session, tried incognito as well) I am prompted to login through app2’s IDP tenant.
I am expecting my SSO tenant to use the auth0 session cookie obtained from logging into app1, so the user does not have to log in to app2.
I have read 2 conflicting pieces of information (through chatGPT)
- If you supply a
connectionparam on the authorize call to the SSO tenant, then the auth0 session cookie is ignored and the user is forced to log in through the IDP supplied in theconnectionparam - SSO tenant will always firstly read the auth0 session cookie regardless if the
connectionparam is supplied on the authorize call
Troubleshooting I have done thus far:
- Confirmed the auth0 cookie (generated when I logged into app1) is sent on the SSO authorize call made by app2.
- Confirmed the auth0 session cookie created by app1 is set to same domain as app2 SSO authorize call
- Confirmed each SSO client app has the correct callbacks, allowed web origins etc etc.
- Removed the connection param when an auth0 session token is present but SSO returns a “no connections enabled for the client” error
Any help would be much appreciated!