Support for SSO and Passwordless / Passkey

We have a handful of tenants, most of which have SSO configured for one or two applications for some rare cases (for production, they tend to be for real customers, for the test instances, they were probably to experiment).

I’ve been experimenting with Passwordless (email links / sms) and Passkey.

For one tenant (which I think had 0 SSO), enabling Passkey involved upgrading to the newer universal login and the identity before credentials flow, and then things basically just worked.

For the next system, when I enabled Passkey (again, selecting the newer universal login and the identity before credentials flow), then when I’d enter a username, I’d see SINGLE SIGN-ON ENABLED and after trying to enter a password, I’d be redirected to an SSO provider to enter username+password for an account that had no SSO configuration.

The behavior makes no sense. When I edit the user in the Auth0 /users endpoint, I see Username-Password-Authentication as the recently used connection (there’s also an ancient email connection that was only used once). There is no SSO connection for this user.

I don’t know why Auth0 thinks this is the right behavior.

I was able to “Fix” this by disabling the Application/Application/Connection/Enterprise (SSO) items. I shouldn’t need to do this.

What steps are necessary/required in order to be able to safely deploy SSO and Passkey side-by-side? – Note that this would mean a user should be able to log in using SSO and then set up passkey, or a user should be able to say they want to login with Passkey and authenticate with SSO, or a user who has a Username-Password-Authentication account should be able to log in with that as-is, or choose to set up Passkey.

Random references showing people struggling with this mess:

Posting publicly because I can’t find the right way to talk to support. (Your maze is worse than some other mazes people hate and that’s saying a lot.)