Docs

Server-side Single Sign-On (Regular Web Apps)

Versionlegacy

To log a user in silently (that is, without displaying the Lock screen) the following conditions need to be met:

  1. The Application needs to be configured to Use Auth0 instead of the IdP to do Single Sign-on in the Applications section of the Auth0 Management Dashboard
  2. A Single Sign-on (SSO) cookie must exist for the tenant's domain. In other words the user must have signed in previously, and the SSO cookie which was saved is still valid.
  3. When calling the Auth0 authentication endpoint, the connection name is passed along for which the user must be signed in. This connection name is the same as the one specified in the SSO cookie. You can pass the connection name along either as a parameter when calling the signin function of the auth0.js Library, or by passing the connection query string parameter when calling the /authorize endpoint of the Authentication API

The SSO scenario

In our SSO scenario, let's say we have 3 applications

  • App 1: app1.com (Single-Page App)
  • App 2: app2.com (Single-Page App)
  • App 3: app3.com (Regular Web app)

If a user logs in to any of these applications, and then subsequently navigates from this application to any of the other applications, we would want the user to be logged in automatically.

In this document we will be looking specifically how to achieve this in a Regular Web Application

The user logs in on one of the Single-Page Applications and click on a link that should take them to a particular URL on app3.com. In this case, you can create an endpoint on the target application (app3) that will redirect to the URL the user wanted to go after SSO. For example:

This endpoint would check if the user is already logged in to this app. If they are, then redirect to the target URL. If the user is not logged in to the application, then redirect to Auth0 for SSO, passing along the name of the connection to use:

Here is an example in node.js:

When the user comes back from Auth0 you should check for the state parameter and redirect to the original target URL.

Here is an example in node.js:

Case 2: The user is already logged in and goes to app3.com

The user is logged in on app1.com and opens a new tab and goes to app3.com. You would expect the user to be automatically signed in. To do that, you need to redirect the user to the following URL in a filter or a middleware:

Here is an example in node.js:

If the user was already logged in before, then Auth0 will automatically redirect back to the application with a new token. If not, then it will show the Auth0 Login Page.

Case 3: The user has never logged in

The user has never logged in to any app. In this case, the filter or middleware mentioned in the previous point checks if the user is authenticated or not, and in the case they're not, redirects the user to the following URL: