Auth0 Home Blog Docs

How to override the callback url on the SAML2 Web App addon

saml
#1

Hi,

I have implemented the PKCE flow in a command line utility (https://github.com/binxio/oauth-cli) in order to exchange a SAML response token, for AWS credentials. For this I have configured the ‘SAML2 Web App’ Addon onto a native application.

Now I would like to combine this functionality to deliver both AWS console and cli access. For this I need to change the callback URL: For AWS Console -> https://signin.aws.amazon.com/saml and for the CLI it is http://localhost:12200/saml.

I have added both URLs to the allowed callback urls, but the add on always redirects to the Application Callback URL defined in the usage section of the ‘SAML2 Web App’ .

Specifying a redirect_uri as a parameters on the /authorize request does not help.

Is there any way to influence the callback url on the ‘SAML2 Web App’ addon?

Cheers,

Mark

1 Like
SSO Design Scenarios and SAML Options
#3

Hey there @Mark, you can leverage the Application callback URL as described in our Auth0 SAML2 Web tutorial and direct the callback URL accordingly as seen below. However there’s a chance you are looking for something a little more expansive depending on the use-case. If that is indeed the case it would required some custom code as it’s not native functionality. Please let me know if you have any questions or feedback. Thanks in advance!

  1. To enable the Addon from the Auth0 side, you will need to provide you Application Callback URL , which receives the SAML response, as well as the Settings for your setup. Within the Settings page, there is a sample object that you can use when determining which settings you want to enable:
{
// "audience":  "urn:foo",
// "recipient": "http://foo",
// "mappings": {
//   "user_id":     "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
//   "email":       "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
//   "name":        "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
//   "given_name":  "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
//   "family_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
//   "upn":         "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
//   "groups":      "http://schemas.xmlsoap.org/claims/Group"
// },
// "createUpnClaim":       true,
// "passthroughClaimsWithNoMapping": true,
// "mapUnknownClaimsAsIs": false,
// "mapIdentities":        true,
// "signatureAlgorithm":   "rsa-sha1",
// "digestAlgorithm":      "sha1",
// "destination":          "http://foo",
// "lifetimeInSeconds":    3600,
// "signResponse":         false,
// "typedAttributes":      true,
// "includeAttributeNameFormat":  true,
// "nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
// "nameIdentifierProbes": [
//   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
//   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
//   "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
// ],
// "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
// "logout": {
//   "callback": "http://foo/logout"
// }
}
#4

Hi James,

Thank you for your time to answer this question. I have currently set the Application callback URL , but it means I have to define two applications with the SAML2 Web Addon , just because they have a different callback URL.

I was hoping that I could define one application for both AWS console access as well as for my login client.

Anyway, I am pretty content with the solution I have now.

Cheers,

Mark

2 Likes
#5

I’m glad to hear you got it handled and thank you for sharing the solution @Mark! Keep us posted if you run into any questions in the future.

closed #6

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.