Switching from RWA to RWA for SAML re-prompts end user for MFA


We have two Regular Web Application (RWA) clients. The first grants access to our application using the Auth0 SDK, etc. The second is used as a SAML identity provider, as documented here.

In our application, auth’d via the first RWA, we have links to a third-party app that uses the second RWA as the SAML IdP. When are users click on such a link, they are sent back to our tenant’s authentication domain and prompted for multifactor authentication. In sum, the current user flow is:

  1. Go to our application URL (app.example.com).
  2. Get redirected to our Auth0 custom domain (auth.example.com).
  3. Log in, complete multifactor authentication.
  4. Get redirected back to our app (app.example.com).
  5. Click on a link for the third-party app, for which we also have a custom domain (third-party.example.com)
  6. Get redirected back to auth.example.com.
  7. Get prompted for MFA.
  8. Get redirected to third-party.example.com

We’d like to avoid step 7. I’m having trouble understanding how an Auth0 session is used to grant access to our different RWAs in this case. From what I can see, the RWAs differ only in the allowed callback URLs (the second specifies third-party.example.com as a callback). How can we go about this? For management reasons, we’d prefer to keep our setup with two RWAs if possible, but the priority is removing the re-prompt for MFA to the end user.

Thanks in advance for all help and advice!