We have setup IDP with name CustomIDP from Connections>>Enterprise>>SAMLP Identity Provider. And then setup client from client tag. For the client, We have configured “Allowed Callback URLs” value to client hosted URL. While making authorization call to “https://flow-dev.auth0.com/authorize” we have pass connection as CustomIDP. In this process, all does well except at IDP side we are not getting a redirect_uri attribute from auth0. We need this to redirect user browser back to a client URL. Does anyone have any clue for getting redirect_uri at IDP side from query string or from SAMLRequest?
redirect_uri is a parameter defined as part of OAuth2; it’s not defined as part of SAML. Although SAML also has flows that make use of HTTP redirections, it’s a different protocol and as such works, is configured, in different ways.
When you configure a Auth0 account to act as a service provider for a SAML identity provider you’ll perform several configuration steps described at:
After completing the step (Configure Auth0 as Service Provider) you will be given a URL that will contain relevant information for how to move to the next step that is configuring the SAML identity provider. Among that information it will be listed the Assertion Consumer Service URL that you should configure at the SAML IdP. This URL, something like
https://[your_account].auth0.com/login/callback, will be the URL to which the SAML IdP will send the assertion containing the user identity. This is a single URL that will received the redirect from the IdP and is defined at configuration time.
Have in mind, that although you configured a single URL, your client application can still perform authentication according to OAuth2 against Auth0 which will mean the client application can use more than one redirect URL and specify it at each request. The flow would be:
- Client application makes an OAuth2 request to your Auth0 account while specifying a SAML connection (allows
- Auth0 makes a SAML request to the IdP specified in the connection.
- User authenticates at the SAML IdP.
- SAML IdP sends a SAML assertion to the Auth0 account containing the user identity (this is sent to the Assertion Consumer Service URL).
- Auth0 account validates the assertion and restarts the OAuth2 transaction by providing a response (in accordance to OAuth2) to the client application (this response will be delivered to the
redirect_urithe client initially provided).
What would the OAuth2 request look like?
We are using a password-realm grant type but this doesn’t seem to make sense for this use case. Can you provide a bit more detail?
@ben3 the password-realm grant is just an extension on the resource owner password grant that allows to further specify a realm. Both of these grants are not redirect-based and can also only be used by a subset of connection types that support active authentication via username password. In particular, a SAML connection will not support that while a database connection would so for SAML you’ll need to use an OAuth2 redirect-based flow. If this is insufficient info you may want to post your own question detailing your exact use case.