We are using Lock.js(v10), with auth0.js(v8), in an angular 1.X application. Our application is a Service Provider and we will be using our client’s ADFS as the IdP. As we do not have access to our client’s IdP during development, we have setup another Auth0 client as a test IdP.
Our client has been periodically testing our implementation by sending a valid SAML response as if it were from the IdP (but its not actually, they are using a custom HTML page to send the request). While this works, in that we see a successful login in the Auth0 logs, the user is actually left on the login screen of our application without actually being logged in. We were able to replicate this behavior by using the login URL of our Auth0 test IdP.
When the login is initiated from our application’s login button, the login works as expected, i.e you are redirected back to the login page and then logged in. When the login is initiated from the IdP login URL (so minus the first step of clicking ‘login’ on the application site), the user ends up on the login page of our application and is not then logged in. There are no errors in the console to investigate.
We also have IdP-initiated SSO set up with the correct default client and SAML as the response type.
Update
It looks like when the login request is IdP initiated, none of the required URL params are present on the callback URL.
i.e., when we login using the button, the callback request has #access_token=foo&… but when initiated from the IdP, there is nothing, and hence the lock is not triggered.
Why is this happening? What are we missing…