We’re using Stalwart with OIDC directory. Is there any way to have Web UI check if there is active SSO session and automatically log in as user in that session, instead of having to manually enter username/email and then re-authenticate?
on
The WebUI’s OAuth flow has a key design detail that directly answers your question. Looking at the startAuthFlow function in the WebUI source, it always sets prompt: 'login' in the authorization request parameters (line ~148 in the source). This means the WebUI explicitly forces a fresh login prompt on every authentication, even if your OIDC provider already has an active session – it will never silently reuse an existing SSO session.
Additionally, the flow requires a username to perform discovery first (/api/discover/<username>), so there is no mechanism to initiate the OAuth redirect without first entering a username.
In short, transparent/silent SSO re-use (where the WebUI checks for an existing OIDC session and logs the user in automatically) is not currently implemented. The prompt: 'login' hard-coded value intentionally bypasses any existing IdP session, and the username-first discovery step means there is no way to start the flow without user input.
This isn’t covered in the current docs as a configurable option. A community member or staff member will follow up to confirm if this is a planned feature or if there is a workaround.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.
Silent SSO is not possible in the web UI today. It sends prompt=login to the provider, which forces a fresh authentication even when you already have an active SSO session, and it also asks you to type a username up front to pick the directory. So there is no unprompted entry point that reuses an existing session.