Hi Giovanni,
Thanks for reaching out. This is Matias, I’m a Developer Support Engineer from Auth0, and I will be glad to help you with this issue.
I tried to replicate the issue, and after I installed and configured the SSO integration for the first time, everything worked as expected. There is no option in the UI to make changes to the SAML addon for the SSO integration, but I can see that “nameIdentifierProbes” was set to the following array:
“nameIdentifierProbes”: [
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”,
“http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”
]
However, once I made a change to the SSO integration (simply changed the Callback URL, which is one of the two parameters you can change), the integration stopped working and I received the same error "No attribute was found to generate the nameIdentifier. We tried with: ". This is because “nameIdentifierProbes” was set to an empty array .
I’ve escalated this bug to Engineering so that they are aware of it and can implement a fix. But in the meantime, you can fix your implementation in one of two ways:
-
You can delete your ‘Jenkins’ SSO integration and create a new one with the right Callback URL, remember that if you make any changes to the integration afterwards, it will break. Also, keep in mind that some of the configuration values in the Tutorial tab will change.
-
You can update the SSO integration using the Auth0 Management API (PATCH /api/v2/clients/{id}) to fix it. These are the steps you would need to follow:
Use the Management API endpoint mentioned here: Auth0 Management API v2
You can get the Client ID for this SSO integration in the Auth0 Dashboard > Applications > SSO Integrations > Jenkins > You will see the Client ID on top, below the name.
Use the following body in the PATCH request to fix your implementation:
{
"issuer": "urn:TENANT-NAME",
"mappings": {},
"createUpnClaim": true,
"passthroughClaimsWithNoMapping": true,
"mapUnknownClaimsAsIs": false,
"mapIdentities": true,
"signatureAlgorithm": "rsa-sha1",
"digestAlgorithm": "sha1",
"lifetimeInSeconds": 3600,
"signResponse": false,
"typedAttributes": true,
"includeAttributeNameFormat": true,
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified",
"nameIdentifierProbes": [
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
],
"authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified",
"logout": {
"slo_enabled": true
},
"binding": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
}
Replace TENANT-NAME with the name of your Auth0 tenant.
If you eventually need to change the Callback URL again, you can PATCH the SSO integration again with the above body.
Cheers!