Auth0 multiple SAML add-ons

Hi,
I’m using an Auth0 application with SAML add-on enabled for an application which has multiple service providers. (Service providers are not configured in Auth0).

I’m getting the below error when submitting a LogoutRequest.

No active session(s) found matching LogoutRequest

SAML add on configuration

{
"mappings": {
"user_id": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"given_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"upn": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
"groups": "http://schemas.xmlsoap.org/claims/Group"
},
"createUpnClaim": true,
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": false,
"mapIdentities": true,
"signatureAlgorithm": "rsa-sha1",
"digestAlgorithm": "sha1",
"lifetimeInSeconds": 3600,
"signResponse": false,
"typedAttributes": true,
"includeAttributeNameFormat": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
],
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"logout": {
"callback": "https://tenant.auth0.com/samlp/hash/logout",
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}

Note that audience , recipient and destination parameters are not set because I have multiple service providers with different URLs. Therefor those values will be taken from the request itself (according to the documentation). However I believe Auth0 compares the issuer value in the logout request with the audience value in the config. In my case there’s no audience value in the config.

I was told that

If you have multiple service providers you should create an application with the SAML add-on for each of them.

My question is can I create multiple SAML add ons for one application? If not how can I create multiple applications with same metadata.xml (with same login URL)? Because my application supports only one IDP.

Thanks.
Yasith

Hello @ylokuge and welcome to the Auth0 Community!!

The advice you were given sounds correct, you can only have one SAML Add on per application.

I’m hoping you could explain this a bit more, are you creating these applications programmatically and not through the dashboard? What errors are you encountering when configuring separate applications with the same SAML Add on?

Best Regards,
Colin

Hi @colin.coutts,

Thanks for the reply. I have created multiple applications for different service providers as you suggested and login flow seems to be working fine. And also in the logout flow GET request from SP to IDP works fine. However the POST request from IDP to SP fails due to certificate mismatch issue. After decoding the logout request I found out that certificate used is different to what’s in the IDP metadata.xml. Can you please explain this mismatch and suggest a solution for that?

Regards,
Yasith.

Hi @ylokuge,

Would you mind capturing the login/logout interaction in a .har file so I can try to see what’s happening? You can send it to me in a DM for me to review, details on capturing a .har can be found here:

Did the certificate you noticed belong to a different IDP that you had configured? Does your IdP provide any logging, if so are there any meaningful logs around this failed SLO? It’s hard to say what could be going wrong from the description, hopefully a .har file will provide a bit more context.

Best Regards,
Colin

Hi @ylokuge did you find a work around for this issue. We have the same problem with 2 service providers that need to authenticate with our idp