-
Notifications
You must be signed in to change notification settings - Fork 366
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IdP-Initiated SAML Login #261
Comments
Hi @adarnon - thanks for raising this issue. This library implements OpenID Connect (OIDC) which does not support the concept of an IdP-Initiated flow You should be able to configure a similar experience using silent authentication and seamless SSO though.
|
Thank you, that makes sense. How would you suggest creating a session on auth0.com through the enterprise portal? The SSO url |
Hi @adarnon
By this I mean, your login portal is a web app - have the user login to auth0.com on this web app - eg.
|
Hi @adarnon - I hope this answers your question - closing for now, feel free to ping me to reopen it if you want to discuss further |
@adamjmcgrath Hey, I'm not following the first steps, maybe I'm confused about the terminology. Right now, my application uses nextjs-auth0 to handle user auth. If a user visits any page on my app, they are redirected to My users want to be able to log in from their IdP. So, for example, they would have "Adar's App" on their Okta dashboard, and clicking on it would directly log them into my app. If I add a SAML connection on Auth0 and connect it to my Auth0 Client, turn on universal login and home-realm discovery, and configure the SSO login URL on the Okta app, when the user tries to visit the app they'll get the error above - because they didn't initiate the session from When you say "user clicks login on portal app", do you mean in their SSO dashboard? If so, how would they be redirected to auth0.com to log in? Should I add another dedicated API route for IdP-initiated SSO under my web app? |
I know this is closed, but it's something we ran into and just wanted to say thank you @adamjmcgrath. With your instructions above we were able to get a workaround working for Okta that we're happy with. 🙏 |
I am also confused like @adarnon was - my scenario is that I'm providing a service to an enterprise client who uses Okta, and they have their own portal for their applications. They want to be able to click on our app from there and get logged in immediately. When you say that the user clicks log in on the portal app - I'm confused, since I don't own their portal app and I can't make my clients not use Okta. Would love some guidance for how I can make this flow work! |
Description
If I'm not wrong, the library currently does not support IdP-Initiated Logins through SAML. This is a flow that many enterprise customers require and I couldn't find a way around it with the library.
Reproduction
The library uses a cookie
a0:state
to prevent CSRF attacks. However, in IdP-initiated connections the cookie does not exist so the flow fails. There should be a way to ignore the missing cookie for connections that allow IdP-initiated login.Environment
The text was updated successfully, but these errors were encountered: