IdP-Initiated Login not Configured in Connection

Knowledge Solutions
, ,
1

Problem statement

An Enterprise SAML SSO login has been configured with the following:

  • our custom domain: login.contoso.com
  • the connection name: saml-CONX
  • Auth0 client application is contoso-biz
  • Auth0 has been configured as the Service Provider (SP)
  • a 3rd Party service is acting as the Identity Provider (IdP )

As far as we can see, the SAML connection has been configured correctly on the Contoso side,
However, login attempts fail. Why might this be happening?

Symptoms

  • When attempting to log in to ‘contoso-biz’, an error screen is displayed during the SSO process.
  • No SSO login attempts appear in the tenant logs.

Troubleshooting

  • Capture the login flow in a HAR file, as described in the Generate and Analyze HAR files documentation. Look for any errors, such as ‘400 Bad request’. The SAML part of the flow can be inspected using SAML-Tool

  • Go to: Dashboard → Monitoring → Logs and search the logs for events that relate to the SAML connection of interest. Search using this format: "connection:<connection-name>". For example, in this case, the search term would be "connection:saml-CONX". Check if the login attempts using this connection are recorded as events in the tenant logs. If so, check if these login attempts fail or succeed. Refer to the list of "Log Event type Codes" to help with diagnosis.

  • Check the IdP configuration: if this is under the control of a 3rd party, ask them to check to ensure that the configuration has been correctly performed

Cause

Examination of the HAR file may show a POST-back call to the request of this from:
https://{yourDomain}/login/callback?connection={yourConnectionName}

In this example, the URL would take the form:
URL: https://login.contoso.com/login/callback?connection=saml-CONX

If this call has resulted in a 400 Bad Request error, it would indicate that the user has attempted to perform an IdP-Initiated login but the connection has not been configured to support this feature.

Solution

Review the configuration of the IdP-Initiated SSO in this arrangement.
In particular, ensure then when using IdP-Initiated SSO, the connection parameter has been included in the post-back URL:

https://{yourDomain}/login/callback?connection={yourConnectionName}

Related References