IdP-Initiated SSO - Audience is Ignored

dan11 · July 15, 2017, 3:01am

In a scenario where I am using Auth0 as the service provider and a working SAML connection with an external identity provider, I want to get an access token that comes in as a JWT with an audience claim that is an API. identifier Right now it is an opaque, unencoded token (eg. access_token=Cj0Jil1FYm3lTa_o). My application relies on a JWT that has an “aud” claim with the corresponding audience.

My configuration within the “Edit SAMLP Identity Provider connection” modal looks like this:

Response Protocol:
OpenID Connect

Query Params:
redirect_uri=my_redirect&scope=openid email&response_type=id_token token&audience=my_audience_api_identifier

dan11 · July 16, 2017, 6:31am

A workaround is recycling the silent authorization flow that already exists for the regular implicit flow as soon as the SAML flow hits the “redirect_uri” with an access token

dan11 · July 18, 2017, 5:07am

I would still love some explanation on this subject other than the aforementioned workaround

Topic		Replies	Views
No payload in access token for idp initiated sso Help jwt , sso , id_token , access_token , audience , idp , idp-initiated	6	2247	September 8, 2022
Access token not a JWT after SAML IDP initiated SSO Help saml , sso , idp-initiated	2	7289	September 10, 2018
Potential non-conformance with SAML's AudienceRestriction Help saml	3	3570	August 30, 2019
Strange access token returned by SAML Help saml , sso , access_token , login , access-token	3	5564	March 2, 2018
“Audience is invalid” Error in SAML with custom domain Help connections , saml-enterprise-connection	3	562	February 15, 2024

IdP-Initiated SSO - Audience is Ignored

Related Topics