Assertion Consumer URL not being sent with SAML redirect

clark · January 8, 2021, 2:59pm

We are working to integrate with a client’s corporate SSO system using SAML. We are using Auth0 as the Service Provider and we have successfully created the Service Provider entry through the Auth0 system. On the login screen, there is now a button Continue with SAML. Clicking the button successfully redirects to the corporate SSO, but there is then a “not authorized” error. The client’s security team has diagnosed the problem as being that Auth0 is not sending the Assertion Consumer URL as part of the redirect. I have this value as generated from the SAML SP entry metadata. Can anyone explain why it’s not being sent? Thank you!

sidharth.chaudhary · January 11, 2021, 4:02am

Hey @clark, Welcome to the Auth0 Community!

When Auth0 acts as the SAML SP, we do not send the AssertionConsumerServiceURL in the SAML Requests by default. There are two options to send this

One option is to Hard-code the ACS URL in the SAML template of the Auth0 SAML connection.

See this detailed example :

Second option is to Set a flag in the tenant to true, This needs to be turned on our Engineering team
It will require you to open a Support ticket with us, But the issue with this
Configuration is that as soon as this is enabled all SAML connections will start sending the ACS URL, which can break some IdPs, We have had reports of this causing issues in the Past for some IDPs of Customers. Also it sends the ACS Url(Example :
https://demo-saml-sp.auth0.com/login/callback) but not the Connection param in the request.

Currently, Option 1 is a manual but a better alternative since it removes the dependency of sending ACS URL with every connection. Also, we have a backlog with our engineering team to provide a UI for this feature, But I don’t have any ETA atm.

nicolas_sabena · February 27, 2023, 6:49pm

A SAML Connection template that sends the AssertionConsumerServiceURL attribute where the ACS URL is not hardcoded:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
  Destination="@@Destination@@"
  AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@"
  ID="@@ID@@"
  IssueInstant="@@IssueInstant@@"
  ProtocolBinding="@@ProtocolBinding@@" 
  Version="2.0">
  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    @@Issuer@@
  </saml:Issuer>
</samlp:AuthnRequest>

In the above template the default @@AssertServiceURLAndDestination@@ template variable (that provides the Destination attribute and maybe the AssertionConsumerServiceURL based on the tenant flag) is replaced with explicit Destination and AssertionConsumerServiceURL attributes, each with their own template variable.