diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts index 987d7e061..cf36fef72 100644 --- a/server/routers/badger/verifySession.ts +++ b/server/routers/badger/verifySession.ts @@ -736,11 +736,14 @@ export async function verifyResourceSession( } } - // If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge + // If headerAuthExtendedCompatibility is activated but no clientHeaderAuth provided, force client to challenge. + // Skip the challenge when SSO is also enabled so browsers get the SSO redirect instead of a native Basic + // Auth dialog; clients that proactively send Authorization: Basic are still accepted above. if ( headerAuthExtendedCompatibility && headerAuthExtendedCompatibility.extendedCompatibilityIsActivated && - !clientHeaderAuth + !clientHeaderAuth && + !sso ) { return headerAuthChallenged(res, redirectPath, resource.orgId); }