Changing issuer in Auth0 SAML enterprise connection

Is it possible to change issuer (default is “urn:auth0:YOUR_TENANT:YOUR_CONNECTION_NAME”) in a SAML connection via Auth0 Management API? For context, we are migrating customers from old SSO system to Auth0 and they already have SAML configurations in their IDPs. Unfortunately, the issuer format we were using doesn’t match the one in Auth0 so we cannot do the migration without asking customers to change audience (and callback URL) in their IDPs.

Hey @dsteblyuk , the entityId of a SAML connection can be overridden by PATCHing the connection with the value you want. This attribute should go under the options object of the connection.

One work of caution: the options object is overwritten when being patched, instead of being merged. So you will want to get the existing object by doing a GET first and send the existing contents when doing the PATCH. Example:

curl -X PATCH 'https://TENANT_DOMAIN/api/v2/connections/CONNECTION_ID' \
--header 'Authorization: Bearer MGMT_API_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
  "options": {
    "entityId": "some_new_value",
    // rest of the options you received from GET
  }
}'

Hi @thameera! Thank you for a quick reply!
I already tried changing issuer this way, but it was not working for me (I just double-checked). I tried it for google and okta. Google fails with app_not_configured_for_user (before redirecting to Auth0), which means saml:Issuer passed in SAML request doesn’t match Entity ID (configured in google workspace). Okta does redirect to Auth0, but then Auth0 replies/redirects with an error Audience is invalid. Configured: urn:auth0:TENANT_DOMAIN:CONNECTION_NAME .

EDIT worth mentioning that the request itself will succeed, but I think that’s only due to Auth0 ignoring unknown options (I tried some gibberish option names and the requests didn’t fail).

Hey @dsteblyuk , my bad - the option when Auth0 is the SAML SP is actually called entityId, not issuer. I just tested and verified this - can you try it? I’ll update the original answer as well.

Hi @thameera, it worked, thank you so much!

my bad - the option when Auth0 is the SAML SP is actually called entityId , not issuer

It was my bad actually - this was in the docs and I missed it:

However, changing entityId was not enough, as Auth0 also does verification of destination and recipient (both must be specified in SAML service provider). By default the recipient and destination are equal to https://TENANT_DOMAIN/login/callback?connection=CONNECTION_NAME in Auth0. Our customers have different values already specified in their IDPs. This causes access_denied Recipient is invalid and Destination is invalid errors. Is it possible to override these values in Auth0?

P.S. I found an open topic about the same issue but it’s unanswered: