Add a Prefix to SAML Response Signature Namespace - Auth0 as SAML IdP

rueben.tiow · February 1, 2024, 1:17am

Problem statement

To configure Auth0 as a SAML Identity Provider there also needs to be implemented a response with a 2.0 compliant SAML response token.

After configuring the Auth0 SAML Web App Addon, the authentication flow works.

However, the Service Provider application receives a SAML response with a Signature namespace that does not include the “ds:” prefix attribute.

According to the SAML 2.0 specification, we assume to receive the prefix in our SAML response:

=== > < ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"" > instead of <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">;

Solution

There is an undocumented setting for the SAML addon > signatureNamespacePrefix. It can be used to add the ds: prefix like this:
“signatureNamespacePrefix”: “ds”
If adding this in the SAML addon doesn’t work, there is a Rule (since this option is not yet available in Actions) to add it, like this:

function changeSamlConfiguration(user, context, callback) {
  if (context.clientID === 'YOUR-CLIENT-WITH-THE-ADDON') {
     context.samlConfiguration = (context.samlConfiguration || {});
     context.samlConfiguration.signatureNamespacePrefix = "ds"; 
  }
}

Topic		Replies	Views
Adding custom SAML attribute when auth0 is SP JWT.io rules , samlp , saml2	6	10943	December 17, 2018
Adding custom SAML attribute when auth0 is IdP Help saml2	2	4943	January 26, 2022
Adding a SAML response attribute to differentiate one User's linked Identities Help	4	2431	December 22, 2022
How do I set up a SAML 2.0 addon that validates signed requests? Help saml , clients	2	3665	March 2, 2018
SSO Design Scenarios and SAML Options Help	2	3207	September 4, 2019

Add a Prefix to SAML Response Signature Namespace - Auth0 as SAML IdP

Problem statement

Solution

Related topics