Hello,
We have two Regular Web Application (RWA) clients. The first grants access to our application using the Auth0 SDK, etc. The second is used as a SAML identity provider, as documented here.
In our application, auth’d via the first RWA, we have links to a third-party app that uses the second RWA as the SAML IdP. When are users click on such a link, they are sent back to our tenant’s authentication domain and prompted for multifactor authentication. In sum, the current user flow is:
- Go to our application URL (
app.example.com). - Get redirected to our Auth0 custom domain (
auth.example.com). - Log in, complete multifactor authentication.
- Get redirected back to our app (
app.example.com). - Click on a link for the third-party app, for which we also have a custom domain (
third-party.example.com) - Get redirected back to
auth.example.com. - Get prompted for MFA.
- Get redirected to
third-party.example.com
We’d like to avoid step 7. I’m having trouble understanding how an Auth0 session is used to grant access to our different RWAs in this case. From what I can see, the RWAs differ only in the allowed callback URLs (the second specifies third-party.example.com as a callback). How can we go about this? For management reasons, we’d prefer to keep our setup with two RWAs if possible, but the priority is removing the re-prompt for MFA to the end user.
Thanks in advance for all help and advice!