This article explains how to disable automatic Single Sign-On (SSO) between applications. When this feature is enabled, a user with an active session in one application is automatically logged in to another application on the same tenant without being prompted for credentials.

•  SSO Applications

This behavior occurs because seamless Single Sign-On (SSO) is enabled by default at the tenant level. When a user authenticates with an application, the system stores a session cookie in the browser. When the user accesses a second application on the same tenant, the system detects this valid session cookie and automatically authenticates the user, skipping the login prompt.

To prevent automatic authentication and require users to enter credentials for each application, use one of the following methods. The first method is the recommended solution, while the second is a workaround.

1. Update the client-level sso_disabled flag to true using the PATCH /api/v2/clients/{id} Management API endpoint. 

   • sso_disabled: boolean - Set to true to disable SSO. The default value is false.

2. Force the login prompt to be displayed by specifying prompt=login with the /authorize request as explained in our documentation.

Note: Specifying prompt=login will not be a security measure, as this is a query parameter that can be modified by end users.

Related References

• Force Reauthentication in OIDC
• Single Sign-On 
• Sessions