We’re getting failed Authentications when using the new Identifier First Universal Login page option, and an Enterprise SSO Azure connection.
Heres the basic error message we see = “You may have pressed the back button, refreshed during login, opened too many login dialogs, or there is some issue with cookies, since we couldn’t find your session. Try logging in again from the application and if the problem persists please contact the administrator.&tracking=”
I think the actual issue is cross-domain cookies…(explained below)
Heres a couple flowcharts of what we’re seeing, and the issue ‘I believe’, is that when a user is being redirected to Azure for login a ‘redirect_uri’ URL parameter is being set to one specific domain login.domainA.com (which matches our Production Tenant custom domain).
Our production tenant has 2 applications with different domains, and in our normal login flow (auth0 custom db connection), I can dynamically set the correct redirect_uri based on which application a user is trying to login to. It could be login.domainA.com or login.domainB.com. But during the Azure Enterprise Login flow, I lose control of the redirect_uri, and it always defaults to login.domainA.com.
I think the issue is when Azure is redirecting the user back to the redirect_uri (from the url param) Auth0 cannot finish authenticating someone who started at domainB.com and always gets redirected to domanA.com
Additional Context:
- The Enterprise SSO Azure login works when we login from domainA.com.
- It does not work when we login from domainB.com (see error message above)
See Flow Chart:
