Last Updated: Aug 20, 2024
Overview
After successfully logging into the IdP system, the user is redirected to a localhost URL instead of the callback URL.
- There is an SP-initiated flow with a SAML connection.
- The SAML connection has IdP Initiated enabled.
- The user is redirected to a different URL to the one specified in the redirect_uri within the /authorize request.
Applies To
- SAML Connection
- Callback URL
Cause
Auth0 resorts to IdP Initiated flows when there is no RelayState and/or InResponseTo attribute.
This means that the original /authorize request’s parameters are ignored as Auth0 cannot align the login request with the SAML response it receives, and it treats it as an entirely different login transaction. If IdP initiated was not enabled for the connection in question, the below error would occur instead:
“invald_request”: "IdP-Initiated login is not enabled for connection ‘CONNECTION_NAME’.
To troubleshoot the issue, please check the SAML connection configuration:
- If it has IdP Initiated enabled. If no redirect_uri is set in the “query string” field, check the default application’s callback URLs - the first allowed callback URL will be used by default. See this document for more details.
- If the URL listed there matches the URL the user is seeing, the flow is likely being treated as an IdP-initiated flow, likely due to the missing the relayState parameter.
- Check Kibana server logs for login - POST to login/callback - operation_name may show as “authzless_idp-initiated_samlp” - indicating IdP initiated flow was used.
- A HAR file (or debug mode on the SAML connection) would be needed to inspect what exactly is being returned by the IdP to confirm if the relayState is present.
Solution
A SAML IdP needs to send back the RelayState parameter and correct the InResponseTo attribute in order for the SP-initiated flow to be used, respectively to allow the redirect_uri on the /authorize request to be used.