IdP-Initiated SSO with Azure as IdP: Invalid State

We are integrating a SPA with Azure so Azure Active Directory with SAML. The idea is that users go to an Azure Portal and they can access the SPA without having to sign in again.

Azure integrates with Auth0 with SAML and this seems to work well but then when Auth0 calls back to SPA it doesn’t include a state (we are using OpenID Connect and the following Query String “response_type=token&prompt=none&state=reverscore”).

if we don’t add any state in the query string we have a MSAL error saying it’s not getting one in the Hash.
If we add a state parameter in Query String it says it’s expecting a null value in the state.

Do you know how to add a state in the flow or avoid this issue?

Thank you.

From the flow you describe you would be translating SAML (happening between Azure AD and Auth0) into OIDC (happening between Auth0 and your application). With IdP-initiated flows this translation does not go well…

The recommendation here would be if you could have your SPA implement an endpoint (https://app.example.com/login/azuread-connection) which when accessed would immediately start an OIDC login request into Auth0 (and pass a connection parameter where the value is the name of the Azure AD connection).

The above would imply that the Auth0 service immediately starts an SP-Initiated flow against Azure AD which would likely complete automatically if the user is already logged in Azure AD.

If you can then have the Azure Portal link point to the SPA URL instead of actually doing and IdP-Initiated flow this should give pretty much the same outcome (user is logged in into SPA) without the IdP-Initiated considerations.

Hello, thank you very much. I hadn’t thought about this. I’ll try it out and let you know how it goes.

Hi, I’ve tried to set-up an SP-initiated flow with enterprise connection Microsoft Azure AD but is always asking me for the login information despite the fact that I am already logged in. Any indication of how to do that?

Sorry for the radio silence, had to take some time off. With the new approach you tried are you prompted to login in Auth0 or in Azure AD?

1 Like