IdP initiated SSO

Trying to setup Auth0 to implement IdP initiated SSO with Rails.

I have created two different accounts. One created as IdP and another as SP. I have created a SAML connection on SP with IdP SSO settings:

1. Response protocol as OpenID Connect
2. Query string has below string
   redirect_uri=http://localhost:3000/users/auth/auth0/callback&scope=openid email&response_type=code

Above redirect_uri is similar to my SP initiated callback url. And it is not authenticating my user. It works like a charm for SP initiated SSO.

Logs while authenticating on my rails server
INFO – omniauth: (auth0) Callback phase initiated.
ERROR – omniauth: (auth0) Authentication failure! csrf_detected: OmniAuth::Strategies::OAuth2::CallbackError, csrf_detected | CSRF detected

Also need to understand what should be an ideal workflow for multiple users login from common connection to avoid CSRF

Below are the gems version for integrating Auth0

gem ‘omniauth-auth0’, ‘2.0.0’
gem ‘omniauth’, ‘~> 1.2’
gem ‘oauth2’, ‘~> 1.0’

There’s some level of conflict with what you want to achieve. Protection against CSRF aims to prevent a certain action from being performed if it’s triggered through a third-party. However, IdP-initiated SSO basically boils down to a third-party wanting to initiate an action unilaterally.

To my knowledge, the SAML specification does not address this directly and although something could be done by probably leveraging the RelayState parameter that would imply a very intimate knowledge between the IdP and the SP so it would always be on a case by case basis.

Given that the SAML assertion is signed the receiving source already has some way to at least ensure that even though the action is coming from a third-party, it’s coming from a trusted third-party. With this in mind you can either have a specific endpoint for IdP-initiated and disable CSRF on that endpoint or always use SP-initiated instead.