Hello!
We have two separate Auth0 tenants and want to avoid making users log in twice. We’ve used a social connection to allow users to sign into application 1 (tenant A) using their account from tenant B.
Is it possible for application 2 (tenant B) using the existing user session to sign into application 1 (tenant A) without being shown the login page?
Thanks in advance!
Hi @pavlo.daniv,
Welcome to the Auth0 Community!
Yes, it is possible. You will need to use SAML SSO with tenant A as the SP to authenticate your users against the application in tenant, which will serve as the IdP.
See this doc for more information.
Thanks,
Rueben
Thank you for the reply @rueben.tiow
Will this approach allow us to communicate with two separate APIs secured by the different tenants or it’s something that works only for authenticating web applications?
And if it’s the latter, what approach we should take to allow user to stay on one web page and have single token for both rest APIs secured the separate tenants?
Thanks,
Pavlo
Hi @pavlo.daniv,
It should only work for the authenticating web applications. This is justified by the API settings, which can only authorize applications on the same tenant.
In this situation, you can perform silent authentication after the user logs in with SAML to get an access token for the required audience. In your silent authentication request, include the API identifier (audience) for the API that you need the access token for.
By doing so, you can create access tokens for each API since they exist in different tenants and use them accordingly.
I hope this helps!
Thanks,
Rueben
In case of such a setup (with APIs secured by separate Auth0 tenants) do I need to create a third tenant to be an IdP of the other two tenants?
Also, after I login with SAML into one of the apps (let’s say app under tenant A), will that page session be able to communicate with Management API (ether tenant B or the IdP tenant) to get other tenants’ access tokens?
Thanks,
Pavlo
Hi @pavlo.daniv,
That’s correct! You can create three tenants, where tenant A (app 1) and tenant B (app 2) are both SPs, and the third tenant C is the IdP.
If you need to access either tenant B or the IdP tenant’s resource, you will need to perform silent authentication to get the access tokens for them. This involves passing in the prompt=none query parameter in the request.
For example:
GET https://{yourDomain}/authorize
?response_type=id_token token&
client_id=...&
redirect_uri=...&
state=...&
scope=openid...&
nonce=...&
audience=...&
response_mode=...&
prompt=none
See Configure Silent Authentication.
Thanks,
Rueben
Hi @rueben.tiow ,
Thank you so much for your response!
So it looks like I can use the silent authentication even without a separate IdP.
As soon as I have a application on tenant B end and the client_id of that application on tenant A WebPage I can “exchange” the user access token of user in tenant A for user access token in tenant B.
Meaning the SSO part (IdP and SP) can be used together with this flow but is really a optional thing.
Please confirm and thank you!
Thanks,
Pavlo
Hi @pavlo.daniv,
Yes, that’s correct! I can confirm. 
Let me know if you have any further questions.
Cheers,
Rueben
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.