Problem statement
When using Auth0 as a SAML IdP and trying to log in using a SAML flow, the following error message occurs:
Callback URL mismatch.
The provided redirect_uri is not in the list of allowed callback URLs.
Troubleshooting
Check using a HAR file of the login flow that the SAML AuthnRequest’s ACS URL matches allowed callback URLs for application receiving the SAML request.
Cause
When performing a SAML login flow, the Service Provider will call the Identity Provider with a SAML AuthnRequest. Within this request should be an AssertionConsumerServiceURL (ACS) attribute. This indicates where the Service Provider wants the response to be sent.
When a client ID in Auth0 with the SAML AddOn receives a SAML request, it will compare the request’s ACS URL to the client ID’s allowed callback URLs, and if there is no match, the callback URL mismatch will occur.
Solution
To resolve the issue, either update the application to pass an ACS URL on the allowed callback URL list for the Auth0 client ID in question or update the client ID’s allowed callback URLs with the application’s desired callback URL for the SAML assertion.