Auth0 as Identity Provider Where IdP Initiates SSO

joshuarpowell · August 15, 2017, 1:40am

I’m following the documentation here:

Its not clear how I would use auth0 Lock to assemble the specified URL

https://innovops.auth0.com/samlp/CLIENT_ID?RelayState=http://FINAL_DESTINATION_URL

We’ve tried various iterations of the following:

<script src="http://cdn.auth0.com/js/lock/10.19.0/lock.min.js"></script>
<script type="text/javascript">
      var lock = new Auth0Lock('CLIENT_ID', 'innovops.auth0.com', {
            samlp: true,
            auth: {
              params: {
                responseType: 'token',
                RelayState: http://FINAL_DESTINATION_URL
              }
            }
        });

      function signin() {
        lock.show();
      }
</script>

joshuarpowell · August 15, 2017, 2:44am

we get the following Error when using the default Lock config:
Failed to load https://innovops.auth0.com/samlp/Cp5CaAL1dOuEXsupm23urkqdYM5AbES2/user/ssodata/: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’. Origin ‘https://deploy-preview-228--milnergroup.netlify.com’ is therefore not allowed access. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

jmangelo · August 17, 2017, 9:58pm

If you have configured Auth0 to act as a SAML identity provider and then you want to perform a IdP initiated login then there is no need to bring Lock as a dependency, to my knowledge, there’s not even support in Lock for that.

In conclusion, for an IdP initiated login unless I’m missing something you just need to navigate the user to the URL you got from the documentation you linked to, in particular, you’ll have:

https://[your_account].auth0.com/samlp/[your_client_id]?RelayState=[the_desired_final_url_at_the_sp]

where:

[your_account] - is your Auth0 account;
[your_client_id] - is the client identifier that you created to represent the SAML service provider for which you want to trigger the IdP initiated login;
[the_desired_final_url_at_the_sp] - is the encoded URL to which you would want the service provider to navigate the user after receiving and validating the authentication; have in mind that the service provider needs to play along and process the RelayState in this way.