Auth0 IdP does not return InResponseTo

The SAML response from Auth0 does not include the InResponseTo field, which means the service provider sees the request as invalid.

This is the SAML request (decodable via SAML Decoder | Ping Identity Developer Portal), coming from github.com/kolide/fleet:

fJFfq9pAEMW/Sth3s+tC2rgYIWpLg7aItoJ9WzfTZnH/pDsTtf30pSmC9+Hex2H48TucM0ftXa/qgbqwh18DIGV37wKq8VGxIQUVNVpUQXtARUYd6s9bJXOh+hQpmujYE/I2oREhkY2BZc26YrbdhWI2vRfbn/VledanTyw7QkIbQ8VkLlhWP4BVDDh4SAdIV2vg235bsY6oR8W5i0a7LiKpUpSC697y65RforMtcMTIjXburM2FZWtAskHTaHjwPxwAtX5CgJQPmOuBOpGb6PlYAv

This is the response from Auth0 (decodable via SAML Decoder - Online SAML Request-Response Decode Tool - Base64 - Inflate):

PHNhbWxwOlJlc3BvbnNlIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiIElEPSJfNDdlNjUwZTI1YWRlMDIyMDI4YTQiICBWZXJzaW9uPSIyLjAiIElzc3VlSW5zdGFudD0iMjAyMC0xMC0wOFQyMzowMzowOS44NjBaIiAgRGVzdGluYXRpb249Imh0dHBzOi8vbG9jYWxob3N0OjgwODAvYXBpL3YxL2tvbGlkZS9zc28vY2FsbGJhY2siPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj51cm46ZmxlZXRkbS10ZXN0LnVzLmF1dGgwLmNvbTwvc2FtbDpJc3N1ZXI+PHNhbWxwOlN0YXR1cz48c2FtbHA6U3RhdHVzQ29kZSBWYWx1ZT0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOnN0YXR1czpTdWNjZXNzIi8+PC9zYW1scDpTdGF0dXM+PHNhbWw6QXNzZXJ0aW9uIHhtbG5zOnNhbWw9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iIFZlcnNpb249IjIuMCIgSUQ9Il9oY2hxSWxqVmFXYmtDQ2lDbWxNdjRqQjdMY1A5MzJMWCIgSXNzdWVJbnN0YW50PSIyMDIwLTEwLTA4VDIzOjAzOjA5Ljg1MVoiPjxzYW1sOklzc3Vlcj51cm46ZmxlZXRkbS10ZXN0LnVzLmF1dGgwLmNvbTwvc2FtbDpJc3N1ZXI+PFNpZ25hdHVyZSB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI+PFNpZ25lZEluZm8+PENhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8+PFJlZmVyZW5jZSBVUkk9IiNfaGNocUlsalZhV2JrQ0NpQ21sTXY0akI3TGNQOTMyTFgiPjxUcmFuc2Zvcm1zPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjZW52ZWxvcGVkLXNpZ25hdHVyZSIvPjxUcmFuc2Zvcm0gQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48L1RyYW5zZm9ybXM+PERpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PERpZ2VzdFZhbHVlPncrQmFFbUxNVURnY0JiVENFSEpUVU9xdC9EYz08L0RpZ2VzdFZhbHVlPjwvUmVmZXJlbmNlPjwvU2lnbmVkSW5mbz48U2lnbmF0dXJlVmFsdWU+YjdVNEE4OHNaZ2VTZjFmT3NKUm8wMWpwRzZaWnR3aTE2NXdMTXpaK1FVemJXdG11ZE1ETTdWQnNkcytzNUtaUmFOWTRDakNQWXpsSmhnNHY2M1hFNHVMKzVnakhqZFo0ZmFyVDY5UXhxNDQ3TU5zSVhmU0JVM3o4SGFSdEY3Qlh0T3h2eHVvNFRMKzVCMUJTK3ZyODBNbE5UTWpZNHBsa3pWYlFJYlc0T0hHSWZhRFhtbzRJcVg3T0xaZDIrTWR0ZGoxWHRuaWZ0bGM0cWdQaGNWeE1aamFEYVVaMUUvVGdUUGwyZkhHUkdWZGovWFArbHU2dkJOSkNqeVl1S2dKWVdVRGNKV0MvNW1oWDIyR3ZoR3hxd2l3VTZ5OHBoM3pSNTg3NDNINnY1QlVBZmxxQzFEQTBrRTZYK2JBWGVveDJURlIwUnRRcnp3NW1oeVlvU1laOEl3PT08L1NpZ25hdHVyZVZhbHVlPjxLZXlJbmZvPjxYNTA5RGF0YT48WDUwOUNlcnRpZmljYXRlPk1JSUREVENDQWZXZ0F3SUJBZ0lKSi9SUWptb0wrZUxMTUEwR0NTcUdTSWIzRFFFQkN3VUFNQ1F4SWpBZ0JnTlZCQU1UR1dac1pXVjBaRzB0ZEdWemRDNTFjeTVoZFhSb01DNWpiMjB3SGhjTk1qQXhNREE0TWpJd016QTBXaGNOTXpRd05qRTNNakl3TXpBMFdqQWtNU0l3SUFZRFZRUURFeGxtYkdWbGRHUnRMWFJsYzNRdWRYTXVZWFYwYURBdVkyOXRNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDQVFFQXpZN1JyMXI0UnAzekRaRGYzOHB5alNBcnBPTVh4eG5tdFowVUNncEV1RHNRV2tLSjdjeWtQME5rNENwSTRpc1pwTk1Wa0xpOGU2VWhMZjVGb2l1d1Zod3BnbFpUN3dscVFNdk9KVWdzUWhLT2FuOG14S0hIbVFCM2JpbmZ1UUVQeWlSeUw0Q1dlaXl4aDdFRTJycWZpZldiVmdyWHRGQk1NblIwYVdsWDRVNnFoOUVaQTZUUFhXbUxsWW9GdHQwMitXdnR5NXJBdU5iaWZJUVBJZFN5MnVNNW1EcHRTaHVFR2NFbmFjUnB0RWgwMVRISzNhNm1nTlpLOWgwdG1nVTIyck5PbTFueFFwcGE2Z3ZRUW1XTEtmUk5XbDlsTVlrZVVNRFZmRTNKYXBnS0plL1BLaU1vWHJHcTFWcHA4YUF4SCtuYUdxUjJUeVFKelorYWJpeVJhd0lEQVFBQm8wSXdRREFQQmdOVkhSTUJBZjhFQlRBREFRSC9NQjBHQTFVZERnUVdCQlRkMFM0NUFjamE3QjR5TGFTYzVJaU5hRFZGM2pBT0JnTlZIUThCQWY4RUJBTUNBb1F3RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUVsYm5qZC90YUJQU1dZK3VscWZ2azU5US9EM0VxZWdXeld3d3BWZVJuTis4ZytXcGg5aGx0Q2JacXVEbmVhMnI4Z3dBaEduQ3l6a3dnM09NU3lzZTk1MTB4UTQySlM2R1dnV3lOMnJXZGh0MEl2VCt5K0lta0NqTUtCT2JmeTlJSW9aTGpXRGxNTlBWVWZaa1JiRGtJNG9NL1VkeWlPdm5PYy9pUkQyTnlGdmxyRHB5NURITENjWEFjR1c4NGhBRnZEN0gyWjNmazd6UGFLV0xSbjBrZUpXQUZHbmIydXRsVFh1Yk9TUmFSVGhyL2pvbGlMVzdJUlVaRmhHd1RIVitjejFvd0pvT1hFWnhtaG1OdElPQWdqQmtQNmhESFdtYit4eFJhMEZzYnRnYit1WmZtdFovKzlzRTFGNmhBU2FhYThWYnVKcGoreWpGSC9kSVZ0K29YST08L1g1MDlDZXJ0aWZpY2F0ZT48L1g1MDlEYXRhPjwvS2V5SW5mbz48L1NpZ25hdHVyZT48c2FtbDpTdWJqZWN0PjxzYW1sOk5hbWVJRCBGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjEuMTpuYW1laWQtZm9ybWF0OmVtYWlsIj56YWNoQGZsZWV0ZG0uY29tPC9zYW1sOk5hbWVJRD48c2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgTm90T25PckFmdGVyPSIyMDIwLTEwLTA5VDAwOjAzOjA5Ljg1MVoiIFJlY2lwaWVudD0iaHR0cHM6Ly9sb2NhbGhvc3Q6ODA4MC9hcGkvdjEva29saWRlL3Nzby9jYWxsYmFjayIvPjwvc2FtbDpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDpTdWJqZWN0PjxzYW1sOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDIwLTEwLTA4VDIzOjAzOjA5Ljg1MVoiIE5vdE9uT3JBZnRlcj0iMjAyMC0xMC0wOVQwMDowMzowOS44NTFaIi8+PHNhbWw6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDIwLTEwLTA4VDIzOjAzOjA5Ljg1MVoiIFNlc3Npb25JbmRleD0iX2N0ekE5QXpwcDZJMzVBdVNDbUt2RG1qX1FHRGlYanZCIj48c2FtbDpBdXRobkNvbnRleHQ+PHNhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6dW5zcGVjaWZpZWQ8L3NhbWw6QXV0aG5Db250ZXh0Q2xhc3NSZWY+PC9zYW1sOkF1dGhuQ29udGV4dD48L3NhbWw6QXV0aG5TdGF0ZW1lbnQ+PHNhbWw6QXR0cmlidXRlU3RhdGVtZW50IHhtbG5zOnhzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYSIgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSI+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL25hbWVpZGVudGlmaWVyIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+Z29vZ2xlLW9hdXRoMnwxMTg0MzQxNjY1MjAzMzYxNTc1NDU8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZW1haWxhZGRyZXNzIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+emFjaEBmbGVldGRtLmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+WmFjaGFyeSBXYXNzZXJtYW48L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcvd3MvMjAwNS8wNS9pZGVudGl0eS9jbGFpbXMvZ2l2ZW5uYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+WmFjaGFyeTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA1LzA1L2lkZW50aXR5L2NsYWltcy9zdXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+V2Fzc2VybWFuPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLnhtbHNvYXAub3JnL3dzLzIwMDUvMDUvaWRlbnRpdHkvY2xhaW1zL3VwbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPnphY2hAZmxlZXRkbS5jb208L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2lkZW50aXRpZXMvZGVmYXVsdC9wcm92aWRlciIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmdvb2dsZS1vYXV0aDI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2lkZW50aXRpZXMvZGVmYXVsdC9hY2Nlc3NfdG9rZW4iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj55YTI5LmEwQWZINlNNQzIzME4ydjRjaE1iZEJxZnhWT0tlV2h4eXVlTmZ0VmExQUxpV3dGRm5ZX05zMFlodFdjX0ljTFZaRjdRaFlZSE9TbG1CVDhhcURHdGdoY3h5Q0xXMkhOZ2VleXR1TF9ZZlQ0T3BXZmpkY0kwbUVjNHExQmQ0U2p0dTRLUVo0c2tFNkZldHlfR3J4YmdVTHh3eGh4aUdWNUYzVHhadzwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vaWRlbnRpdGllcy9kZWZhdWx0L2V4cGlyZXNfaW4iIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6ZG91YmxlIj4zNTk5PC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9pZGVudGl0aWVzL2RlZmF1bHQvY29ubmVjdGlvbiIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPmdvb2dsZS1vYXV0aDI8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2lkZW50aXRpZXMvZGVmYXVsdC9pc1NvY2lhbCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpib29sZWFuIj50cnVlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9jbGllbnRJRCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciPkZoeEFWN2F0OUFFc2N6Q3BJNm81QllLd3lEbXdsS3NtPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9jcmVhdGVkX2F0IiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOmFueVR5cGUiPlRodSBPY3QgMDggMjAyMCAyMjowNjo0NSBHTVQrMDAwMCAoQ29vcmRpbmF0ZWQgVW5pdmVyc2FsIFRpbWUpPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9lbWFpbF92ZXJpZmllZCIgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDp1cmkiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpib29sZWFuIj50cnVlPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9sb2NhbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5lbjwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjxzYW1sOkF0dHJpYnV0ZSBOYW1lPSJodHRwOi8vc2NoZW1hcy5hdXRoMC5jb20vbmlja25hbWUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj56YWNoPC9zYW1sOkF0dHJpYnV0ZVZhbHVlPjwvc2FtbDpBdHRyaWJ1dGU+PHNhbWw6QXR0cmlidXRlIE5hbWU9Imh0dHA6Ly9zY2hlbWFzLmF1dGgwLmNvbS9waWN0dXJlIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OnVyaSI+PHNhbWw6QXR0cmlidXRlVmFsdWUgeHNpOnR5cGU9InhzOnN0cmluZyI+aHR0cHM6Ly9saDMuZ29vZ2xldXNlcmNvbnRlbnQuY29tL2EtL0FPaDE0R2lRdGtyZnFvTXRRbTVlaUFzalFPLUU2c29rYkljckZNVnBTSmJOLU1QVkxKdXpYMHdEc3ZTWW5ocnNwUWtkbW9ndGdNVExZRndMRjl5X1ZyV1FBWnBTSXNxUlFVdDlWYy11THpoeFp6ZTk2Y0FPR1hfUl9aOHZoeHRINWJpZWNobWtVMGlKQXh2dlBsQkZtbUU0aF9fSzJqQ3phdGZ5VENfTEpMZzFXd0lHbDVWXzlReldhU3NmMDdTOGtuUXJuc2NQLW9KSWVWNF95VmlZWWNQcHlHWWt5dGJuVGNyeDI5Q1lCQ0ctRmM4SWpIaG9ncjdXYjJjYUNEMzFvMnhWWFRWRUM0VHJ4eE1OcDdibWJNYV9pVHpsVVcxdTc1aXZpX2VGRWZ4TUZpT01kOG9MamY5ZUVsSVlHajF5MjNHT2pfeUx2Sk1nUlJKLWhsa2tmTkVkbFQ2QkVjcDdlNlE5eDlXbTB0dUZlT0kzV1VVQkZrS3dqeUJHS1d0WmtDcHIzbnpjTjBnV1BJRXJPY2Q2REExbWZKZnU5VlU2Sk9udy1zZDZsU0dkWDZicXJCaFYxNDY1clRDQzlGS1RhRHRzQ3AzdUFpQlNjWm1HRjJ5T3VzTnBpUm9XSncweEV5dUJ6UC1yNVNiSGZNY0QteWt5UXg5VDB6VjYyNlVSODJzZE9GRG55TmZWdDZzcjBvZ19KelA5OUdaMFNpOEdGdEpxR1NvMVBOdzgyQkxDbHlIVFZMbmJOUkhtcmxlSzEwWmpVeWN2NF9pMXpSU2VrNGd1S0M5ZUIwQ1NlSGxYdFVKdnpjUUt2b3duc3Q5Z3czczBPZXp2M0hKVi1ELXMteGsySjVXSzlVUFVmdENSUHFaTi1Vc0d5by1uS0xRSkpXdU5Bbm50VUx1bWRFd0o4RFVnempFWFNibFlwMWUwSlN5cVlJREdRLV9YbHljUE13MFg4cFh4em9nUXRFSXptVWhyenlaUXhpTWVBZjNsWFZ2Y1FUMF9rVHN0ZGtTWDl1eHZFdmVFcEE9czk2LWM8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL3VwZGF0ZWRfYXQiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6YW55VHlwZSI+VGh1IE9jdCAwOCAyMDIwIDIzOjAzOjA5IEdNVCswMDAwIChDb29yZGluYXRlZCBVbml2ZXJzYWwgVGltZSk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZT0iaHR0cDovL3NjaGVtYXMuYXV0aDAuY29tL2lkZW50aWZpZXIiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6dXJpIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIj5nb29nbGUtb2F1dGgyfDExODQzNDE2NjUyMDMzNjE1NzU0NTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg==

Note that there is no InResponseTo value in the decoded XML.

Hi zwass,

The SAML request seems to be incomplete after decoding, could you share the whole URL of this SAML request (if you use http-redirect binding), e.g. https://YOUR_AUTH0_DOMAIN/samlp/CLIENT_ID?SAMLRequest=fJFfq9pAE...

Regards
Guangjie

Ignore my previous reply please.
It seems you are using the Auth0 Developer Keys for your Google connection, it is one of the known limits of using Auth0 Developer Keys that InResponseTo attribute is missing.

1 Like

So Auth0 uses a (intentionally??) broken implementation of the SAML specification when working with developer keys? In that case, what is the intended purpose of using Auth0 SSO in developer mode?

I wasted hours debugging Auth0’s implementation because this was not made clear within the UI or by searching Google.

Is there some way a user is supposed to be able to tell that the SSO is configured with developer keys? I’ve flipped through all 4 pages of options for the “Application” and I cannot find even the word “developer”. Additionally, configuring SSO doesn’t use keys directly (though they may be contained in the metadata).

Is this supposed to only follow the SAML specification if a paid account is used? Does the free trial not follow the spec?

Does Auth0 have a mode in which SSO follows the SAML specification?

Ultimately I’m just trying to test that Auth0 SSO login works with the open-source project I develop.

Hi Zachary,

Sorry for the confusion, please let me clarify in a bit more details.

First of all, you don’t a paid plan to have SSO work with SAML.

Secondly, about the “Auth0 Developer Key”, when you would like your users to login your app via social identity providers such as Google, Facebook, Twitter or etc, those identity providers require you to register your application in order to obtain a Client ID and Client Secret and show your own consent page and logo on the identity provider’s login page. Auth0 also registered an application with each of the social identity providers we support so you can use them instantly, which are call the “Auth0 Developer Keys” it’s supposed to be used for test purpose only, and comes with limitations as described in my previous post.

You can tell if you are using the “Auth0 Developer Keys” from the tenant dashboard → Connections → Social → Select “Google” for example → Select “Settings” tab, if the Client ID and Client Secret fields are empty, then you are using the “Auth0 Developer Keys” (because you didn’t provide your own keys). There is also a banner showing the information about developer keys as well.

To fix issue, you need to register your application at Google Developer Console, by following this document, and configure it in the Google connection in your Auth0 tenant.

2 Likes

Thank you for clarifying this.

I am still struggling to understand why Auth0 would present a UX that looks like it is working while actually intentionally deviating from the SAML spec. Please consider making it extremely clear somewhere in the login flow that it is not actually configured correctly. This could save hours for someone else.

Hi Zachary,

I understand the frustration, please understand the limits here are not designed behavior but rather results of implementation constraint. But I agree with you that improvement can be made for this scenario, I’m raising it internally and you are more than welcome to submit your feedback here as well.

1 Like

As @Guangjie said above the issue has been raised internally and you can also advocate for that using our product feedback form.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.