Stuck enabling SAML 2 web app addon

I’m attempting to test and use SAML2 authentication using auth0 as per this document:

I’m up to the point of enabling the SAML2 web app addon:

Locate the box with the “SAML2 WEB APP” label and click on the circle toggle to turn it green.

Upon clicking the box, this popup appears, but it is stuck at that point for at least a half an hour with no progress. The dialog never fully populates, and if I close the box, the SAML2 Web App box didn’t actually check.

![alt text][1]

Any assistance that could help me past this would be much appreciated.

Thanks for bringing this to our attention; this is indeed an issue that manifests itself in recently created tenants or existing tenants that disabled some global settings. I can let you know that the issue is already being tracked by engineering to be addressed and I can try to update this post when the situation is sorted.

Meanwhile, based on the information I have this issue is constrained to dashboard interface so it should still be possible to enable and configure the addon directly through the Management API v2, in particular, through the update client endpoint:

If you the situation is blocking for you just let me know and I can further help you with the configuration through the API.


UPDATE:

For your convenience here is a sample CURL command to update a client application while enabling the SAML addon:

curl --request PATCH \
  --url https://{your_domain}.auth0.com/api/v2/clients/{your_client_id} \
  --header 'authorization: Bearer {your_mgt_api_access_token}' \
  --header 'content-type: application/json' \
  --data '{
  "addons": {
    "samlp": {
      "audience": "urn:example",
      "recipient": "http://example.com",
      "mappings": {
        "user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
        "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
        "given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
        "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
        "upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
        "groups": "http://schemas.xmlsoap.org/claims/Group"
      },
      "createUpnClaim": true,
      "passthroughClaimsWithNoMapping": true,
      "mapUnknownClaimsAsIs": false,
      "mapIdentities": true,
      "signatureAlgorithm": "rsa-sha1",
      "digestAlgorithm": "sha1",
      "destination": "http://example.com",
      "lifetimeInSeconds": 3600,
      "signResponse": false,
      "typedAttributes": true,
      "includeAttributeNameFormat": true,
      "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
      "nameIdentifierProbes": 
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
      ],
      "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
      "logout": {
        "callback": "http://example.com/logout",
        "slo_enabled": true
      },
      "binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    }
  }
}'

You’ll need to replace three placeholders before executing it:

  • {your_mgt_api_access_token}
  • {your_client_id}
  • {your_domain}

The body shows all configuration options available; you may remove the ones you don’t want to use.

@gwynjudd I updated my answer to contain a sample CURL in case you or someone else needs to configure it through the API.

Is there a way to retrieve the metadata via the API as identified in step 3 here: https://auth0.com/docs/protocols/saml/saml-idp-generic

The workaround is helpful, but some of the data is still difficult to access.

If you go to the client application regular settings, click show advanced settings at the bottom and select the endpoints section the SAML metadata endpoints is also listed there.

Thanks that seems to have gotten me past that issue