Problem statement
The user is redirected to a localhost URL instead of to the callback URL after performing a successful authentication in the IdP system,
Symptoms
SP-Initiated flow with a SAML connection
SAML connection has IdP-Initiated enabled
The user is redirected to a different URL than the one specified in the redirect_uri within the /authorize request.
Troubleshooting
Check the SAML connection configuration - if it has IdP Initiated enabled, if no redirect_uri in the “query string” field, check the default application’s callback URLs - the first allowed callback URL will be used by default.
If the URL listed there matches the URL the user is seeing, the flow is likely being treated as an IdP-initiated flow and this issue is likely due to missing the relayState parameter.
A HAR file would be needed (or debug mode on the SAML connection) to inspect what exactly is being returned by the IdP to confirm if the relayState is present.
Cause
Auth0 resorts to IdP Initiated flows when there is no RelayState and/or InResponseTo attribute.
This means that the original /authorize request’s parameters are ignored because Auth0 cannot align the login request with the SAML response it receives, it treats it as an entirely different login transaction. If IdP initiated was not enabled for the connection in question, the below error would occur instead:
"invald_request": "IdP-Initiated login is not enabled for connection 'CONNECTION_NAME'.
Solution
A SAML IdP needs to send back the RelayState parameter and correct InResponseTo attribute for an SP-initiated flow to be used, and thus allow the redirect_uri on the /authorize request to be used.