0

What I'm trying to do is a Silent Authentication with Auth0 as Identity Provider using SAML 2.0 protocol. I don't want to use the Auth0 SDK because the purpose of the Server Provider is to be able to change between Identity Providers. I have read this post and this other. I updated my login url from

https://{your_domain}.auth0.com/samlp/{client_id}

to

https://{your_domain}.auth0.com/samlp/{client_id}={connection your_db_connection_name}

As mentioned in the first link, but this only allow me to avoid redirections if the user has already an existing session. The second link refers to a parameter in the url:

prompt = none

But this is for OpenId Connect protocol, so I doesn't help me.

The current flow is the following:

  1. User send credentials to my Server Provider (this is useless because Auth0 requires the credentials in his widget)
  2. The Server Provider requests for SAML authentication to Auth0
  3. Auth0 redirects the user to his login Widget (the user enters the credentials again)
  4. The user get access

What I want to achieve is:

  1. User send credentials to my Server Provider
  2. The Server Provider Integrates the credentials (here is where I do not know how) in the SAML 2.0 request
  3. Auth0 receive and authenticate the credentials (without any kind of redirection)
  4. The user get access

What I'm using:

  • As Server Provider, Node JS with Express and saml2-js library
  • As Identity Provider, a Regular Web Application with the SAML2 Web App add-on on Auth0

I am new using SAML and Auth0 and I do not know much yet. Any guide or advice is welcome. Thank you.

(If I have flaws in my English, do not hesitate to comment, thanks)

0

I have researched about this and discovered that it is not possible to achieve it (not now, perhaps in the future).

The use of HTTP-Post Binding allows to avoid redirection only if a user session already exists. If not, the user will be redirected to the IdP login page (in this case, the login page of Auth0)

There is a profile in the SAML protocol and it is called Enhanced Client or Proxy (ECP), but it is rarely used and recommended for applications that can't use the browser.

Also, only some IdPs support it, like Keycloak and Shibboleth.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged or ask your own question.