SAML Post-Back URL receiving two audiences causes “Invalid audience” error even though one audience is correct

In our SAML connection, Auth0 acts as a service provider with HelloID as the identity provider. Auth0 asks HelloID for authentication, and HelloID responds with SAML data that includes two audiences. The first is the Auth0 post-back URL itself and the second is the SAML entity ID for our connection. (Note that Auth0 requires that the audience be the SAML entity ID.)

In this scenario, Auth0 issues an “Invalid audience” error.

Is this problem because Auth0 doesn’t like SAML data with multiple audiences, or that it requires the first audience to be the entity ID? Is there any way to avoid the error when the SAML has multiple audiences?

The underlying issue is that the current logic is only checking the first provided audience, this situation is already being tracked in our backlog so that it can be further reviewed and addressed.

In relation to workarounds, if you can in some way control the order of the audiences being included then including the one that is the default SAML entity ID would likely resolve the situation. Another possibility, although not documented would be to perform an update through the Management API to the connection in question and add a new entityId field within the options object where the value is the URL that your identity provider is using as first audience. I never done this myself, but it was listed as a possible workaround in a previous report of this issue; also, have in mind that this is brittle because if the identity provider changes the order the error is triggered again and also this is not formally documented.

According to the issue that is already being tracked the logic should be updated to check all audiences which would resolve the situation, but at this time I don’t have a definitive timeline for its resolution.

Thank you! The workaround was effective for me.

One concern is that the “Setup Instructions” for the connection still show our SAML entity ID as being the old (standard) value, not the value that I changed it to with the API call. So I’ll have to remember what this connection’s real entity ID is if I want to restore it once the backlog item is fixed.

Is there a way for me to be notified when that backlog item is fixed?

It’s a private repository so there’s no way for you to get a direct notification. I’ll try to see if there are any other options in terms of indirectly getting informed of this.