Datadog SSO Assertion could not be validated

Hello, I’m trying to integrate datadog SSO SP-initiated following this doc Configure Datadog as SAML Service Provider.
From datadog SSO url I’m redirected to authO and log successfully (on auth0 step) however when redirected on Datadog, I receive error:
" SAML Error
Assertion could not be validated"

Thank you for any support ^^

Per what you describe the error originates within Datadog so even if the cause is in the Auth0 configuration any additional information that might assist with finding the root cause will likely be located in Datadog.

Besides the error message that (assuming in the user interface) do you have access to additional logs that could possibly be more explicit about the cause?

Without more explicit logs I would recommend that you configured the correct certificate in Datadog as that could possibly explain the error. Another possibility is that Auth0 may not be configured to send all the necessary data or the values that Datadog expects.

Hello @jmangelo,
I recently tried to switch Datadog SAML from a custom application (with SAML2 addon configured) to this official Datadog SSO integration.
Proceeding with the documentation and being able to correctly replace the existing IDP configuration in Datadog (coming from the custom app + SAML2 addons) with the new file provided by the link in the Auth0 Datadog SSO integration.

I then tried to connect on Datadog with single sign-on but it fails when on Auth0 page saying the callback is not authorized and that we should go to the app setting to allow it.
Clicking on that link, redirect me to a “weird” page that shows the application setting for the SSO integration. And that was the only way to access this configuration for this SSO integration as in the UI, apps and SSO integrations are 2 distinct things where SSO integration do not provide any extra settings (against apps).

Following this, I noticed that, as a Datadog European user, the Datadog SSO integration was not working out of the box as it was having the callback URL set to https://app.datadoghq.com/account/saml/assertion domain where I am needing https://app.datadoghq.eu/account/saml/assertion (EU domain).

Solution for us is currently to stick with the custom app with SAML 2 addons as it is easier to maintain.
If we would have go witth the SSO integration, in order to update the callback configuration, that would have force us to get back to this error page or to “hack” the application setting URL by retrieving the SSO integration ID from its URL and replacing it in an URL shows when I’m updating an app (Something like https://manage.auth0.com/dashboard/eu/my-domain/applications/<datadog-sso-integration-id>/settings).

Could you please have a look (or forward to the concerned maintainers) to improve that integration in order to be able to use the Datadog European domain?
I would rather go with an integration that provides less configuration.

Thanks.