Auth0 Home Blog Docs

Auth0 as SP, ADFS as IDP SAML error

I’ve created an app inside Auth0 for the IDP. The IDP is using ADFS with the SAML connection enabled.

I created a SAMLP Identity Provider connection, added their Sign In Url, and uploaded their X509 Signing Certificate.

User clicks SP link, gets redirected to Auth0 signin page, and then redirects over to IDP login page. They enter in user/pass and then start to get redirected back.

We always get the following error message: “The request could not be performed due to an error
on the part of the SAML responder or SAML authority”.

On the IDP side, their error message is : “MSIS0037 :No signature verification certificate found for issuer”.

Have we set this up correct? I noticed that there are 2 Auth0 connection type options. ADFS and SAMLP Identity Provider. Which should I be using? It’s an ADFS server but they checked the box to use SAML 2.0.

I’ve setup other Auth0 connections and haven’t had any problems, but never worked with ADFS before.

Thanks

From the error it seems the ADFS configuration is incomplete; when you create the relying party in ADFS to represent the Auth0 service you should upload the certificate that Auth0 will use to sign SAML authentication requests.

This docs section covers the scenario where authentication requests are signed (https://auth0.com/docs/protocols/saml/saml-configuration/special-configuration-scenarios/signing-and-encrypting-saml-requests#sign-the-saml-authentication-request) and point three tells you how the certificate can be obtained.

If you provide that certificate to the ADFS admin they should be able to add it to the relying party configuration.

In relation to the ADFS versus SAML connection types, both can be used for ADFS; they provide slightly different functionality and usually going with the SAML connection type will likely be the one that gives you more flexibility.

Thanks for this. Unfortunately, it didn’t solve the ADFS issue though. The IDP is reaching out to Microsoft for help.