Application SAML Config Not Working

patrick14 · July 31, 2023, 4:24pm

I’m trying to configure applications to use SAML for SSO purposes. My configuration is like this:

{
  "audience": "https://${myurl}/saml/consume",
  "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:EmailAddress",
  "signResponse": true
}

and it works in my dev tenant:

When I use the same configuration in my prod tenant, the SAML response is NOT getting signed:

and the audience is NOT what is specified in my config. It is coming up as:

            <saml:AudienceRestriction>
                <saml:Audience>undefined.zoom.us</saml:Audience>
            </saml:AudienceRestriction>

rather than:

            <saml:AudienceRestriction>
                <saml:Audience>https://${myurl}/saml/consume</saml:Audience>
            </saml:AudienceRestriction>

Can anyone explain why the configuration from the app is not being used?

patrick14 · July 31, 2023, 9:43pm

Okay, I figured this out. Turns out that this was actually a bug with the Terraform Provider that was fixed in the GHI link below. I think the reason that I was seeing

            <saml:AudienceRestriction>
                <saml:Audience>undefined.zoom.us</saml:Audience>
            </saml:AudienceRestriction>

was because zoom was the the last addon in the list, and it likely had SAML configurations that were clobbering my configured ones.

For whatever reason, my dev tenant managed via TF didn’t inherit this same issue.

github.com/auth0/terraform-provider-auth0

Issue with Client Addons

opened 01:53PM - 26 Jul 23 UTC

closed 04:42PM - 28 Jul 23 UTC

timothypgny

bug

### Checklist - [X] I have looked into the [README](https://github.com/auth0/…terraform-provider-auth0#readme) and have not found a suitable solution or answer. - [X] I have looked into the [documentation](https://registry.terraform.io/providers/auth0/auth0/latest/docs) and have not found a suitable solution or answer. - [X] I have searched the [issues](https://github.com/auth0/terraform-provider-auth0/issues) and have not found a suitable solution or answer. - [X] I have upgraded to the [latest version](https://github.com/auth0/terraform-provider-auth0/releases/latest) of this provider and the issue still persists. - [X] I have searched the [Auth0 Community](https://community.auth0.com/c/sdks/5) forums and have not found a suitable solution or answer. - [X] I agree to the terms within the [Auth0 Code of Conduct](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md). ### Description We are currently using version 0.40.0 of the auth0 provider and trying to use the beta version (and eventually GA version) so we can upgrade our actions to use Node 18 instead of Node 16. We have a client: We use python to interact with the auth0 provider and seeing an issue when trying to create a regular web application with SAML2 web app addon: from imports.auth0 import Client from imports.auth0 import ClientAddons client = Client( self, name="Application", id_="auth0_application", description=" Application", app_type="regular_web", callbacks=["https://foo/saml/sso"], addons=ClientAddons( samlp={ "create_upn_claim": False, "passthrough_claims_with_no_mapping": False, "map_identities": False, "name_identifier_format": "rn:oasis:names:tc:SAML:2.0:nameid-format:transient", } ), ) Using 0.40.0, it is working as expected: ![image](https://github.com/auth0/terraform-provider-auth0/assets/93941231/967aec6b-c783-4578-92da-a6716421e112) and the SAML properties are set up properly: ![image](https://github.com/auth0/terraform-provider-auth0/assets/93941231/563d1994-8be1-4377-bcfd-60ef0447b26b) However in the beta version, it has more addons created: ![image](https://github.com/auth0/terraform-provider-auth0/assets/93941231/2eeed002-372f-44bc-b3a0-ba9f3b62767b) and the SAML properties are not set up properly: ![image](https://github.com/auth0/terraform-provider-auth0/assets/93941231/c8ac4811-c1ad-4501-a849-5ceb0aeb8e3b) I tried to make the changes to the SAML properties to match what was working before but even those are not getting picked up. We have a rule that maps additional SAML attributes and it seems like that's not getting fired in the beta version, but works everywhere else. When I create the web application manually, everything works as expected. It also can't read this application in the current tfstate generated by the GA version. We can't delete this application as the SAML metadata has the client id in it. ### Expectation It should work as GA version. ### Reproduction from imports.auth0 import Client from imports.auth0 import ClientAddons client = Client( self, name="Application", id_="auth0_application", description=" Application", app_type="regular_web", callbacks=["https://foo/saml/sso"], addons=ClientAddons( samlp={ "create_upn_claim": False, "passthrough_claims_with_no_mapping": False, "map_identities": False, "name_identifier_format": "rn:oasis:names:tc:SAML:2.0:nameid-format:transient", } ), ) Then run cdktf deploy and check generated web application in Auth0 dashboard. ### Auth0 Terraform Provider version 1.0.0-beta.0 ### Terraform version v1.2.3

system · August 14, 2023, 9:44pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Potential non-conformance with SAML's AudienceRestriction Help saml	3	3568	August 30, 2019
Audiencerestriction issue and I see that audience is populated and we have a saml rule Help	1	1270	January 8, 2024
SAMLResponse Audience is invalid Help connections , saml-enterprise-connection	2	4029	February 14, 2023
Saml2p Service Provider invalid Audience value Help	6	3357	August 22, 2020
“Audience is invalid” Error in SAML with custom domain Help connections , saml-enterprise-connection	3	560	February 15, 2024

Application SAML Config Not Working

Related Topics