Thanks for bringing this to our attention; this is indeed an issue that manifests itself in recently created tenants or existing tenants that disabled some global settings. I can let you know that the issue is already being tracked by engineering to be addressed and I can try to update this post when the situation is sorted.
Meanwhile, based on the information I have this issue is constrained to dashboard interface so it should still be possible to enable and configure the addon directly through the Management API v2, in particular, through the update client endpoint:
If you the situation is blocking for you just let me know and I can further help you with the configuration through the API.
UPDATE:
For your convenience here is a sample CURL command to update a client application while enabling the SAML addon:
curl --request PATCH \
--url https://{your_domain}.auth0.com/api/v2/clients/{your_client_id} \
--header 'authorization: Bearer {your_mgt_api_access_token}' \
--header 'content-type: application/json' \
--data '{
"addons": {
"samlp": {
"audience": "urn:example",
"recipient": "http://example.com",
"mappings": {
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"groups": "http://schemas.xmlsoap.org/claims/Group"
},
"createUpnClaim": true,
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": false,
"mapIdentities": true,
"signatureAlgorithm": "rsa-sha1",
"digestAlgorithm": "sha1",
"destination": "http://example.com",
"lifetimeInSeconds": 3600,
"signResponse": false,
"typedAttributes": true,
"includeAttributeNameFormat": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"nameIdentifierProbes":
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"logout": {
"callback": "http://example.com/logout",
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
}
}'
You’ll need to replace three placeholders before executing it:
{your_mgt_api_access_token}
{your_client_id}
{your_domain}
The body shows all configuration options available; you may remove the ones you don’t want to use.