Redirecting to Multiple Applications Using IdP-Initiated SAML Login
This article explains how to implement a solution that redirects to different applications when Auth0 is the SAML service provider and the upstream Identity Provider (IdP) only supports the IdP-initiated login flow.
In the IdP-initiated SAML login flow, Auth0's default behaviour is to redirect to a specific application configured in the enterprise SAML connection's IdP-initiated settings.
- SAML Enterprise Connection
- IdP-Initiated SAML Login Flow
In the SAML Enterprise Connection settings for the IdP-initiated login flow, Auth0 allows only one application for redirection. This enforces a 1-to-1 relationship between connections and applications, requiring a new connection for each application configured in the Auth0 tenant.
Two solutions exist to support 1-to-N relationships between SAML connections and applications.
Option 1: Create a Router Application
- Configure a router application for the IdP-initiated login flow. This application is managed by our customers on their servers.
- Auth0 forwards the RelayState parameter sent by the IdP to this application after a successful authentication, which contains the information for the target application URL.
- The router application validates that the redirect URL belongs to an authorized application to prevent open redirects and then redirects the user to the target application.
- The target application immediately starts a new login attempt. The redirect URL should be the app's default login starting route. Because the Auth0 session from step 2 is still active, the user signs in without being prompted for credentials. This Application should have the same SAML connection enabled on the application settings.
Option 2: Redirect From a Post-Login Action
- In the IdP-initiated flow settings of the SAML connection, configure the application as OpenID Connect (OIDC).
- Access the RelayState parameter via the state parameter within an Auth0 Action to redirect to the target application's login entry point.
The following action code can be used as a starting point. For enhanced security, we recommend signing a token and sending in the query parameters, which can then be verified on the target application before starting the authentication flow.
exports.onExecutePostLogin = async (event, api) => {
const REQUIRED_CLIENT_ID = 'your-app-client-id';
const REQUIRED_CONNECTION = 'your-saml-connention-name';
// Allowlist of valid redirect destinations. These should be the login entry points of
// your applications.
const ALLOWED_REDIRECTS = [
'https://demo.com/login',
'https://acme.com/login'
];
const { client_id } = event.client;
const { name: connection_name, strategy } = event.connection;
const { state: customRedirect} = event.request.query;
console.log("Client ID", event.client);
console.log("Connection:", event.connection);
console.log("Query:", event.request.query);
const isCorrectClient = client_id === REQUIRED_CLIENT_ID;
const isCorrectConnection = connection_name === REQUIRED_CONNECTION;
const isSamlProtocol = strategy === 'samlp';
if (isCorrectClient && isCorrectConnection && isSamlProtocol) {
// Use exact match against allowlist, not prefix matching
if (customRedirect && ALLOWED_REDIRECTS.includes(customRedirect)) {
api.redirect.sendUserTo(customRedirect);
} else if (customRedirect) {
api.access.deny('Invalid redirect destination.');
}
}
};- The target application immediately starts a new login attempt. The redirect URL should be the app's default login starting route. Because the Auth0 session from step 2 is still active, the user signs in without being prompted for credentials. This Application should have the same SAML connection enabled on the application settings.
NOTE: If the additional protection with a token is implemented, the application should first verify the token before starting the login flow.
