Overview
This article explains a potential cause of the Issuer in a SAML Response not matching the entityID in the Auth0 Identity Provider (IdP) Metadata.
Applies To
- SAML addon
Cause
The SAML Service Provider (SP) might validate the Issuer in the SAML response against the entityID provided in the Auth0 SAML IdP metadata (https:///samlp/metadata/CLIENT_ID). If the IdP metadata link with the canonical domain (directly from the SAML addon settings) was provided to the SP, but a custom domain is used for the flow, the Issuer in the SAML response will reflect the custom domain instead of the canonical domain and will not match the SP configuration.
Solution
Provide the SP admin with a metadata link that uses the custom domain: https://<CUSTOM_DOMAIN>/samlp/metadata/CLIENT_ID