Knowledge Why does the 'AssertionConsumerServiceURL' placeholder in the SAML request template appear 'blank' at login?

Problem statement

We have configured Auth0 to be a Service Provider (SP) for the SAML protocol, as described here:

We have followed the instructions to create an Enterprise SAML connection, called ‘saml-xyz’

We would like to customize a SAML Request template for this Enterprise Connection saml-xyz, as described in this section of the documentation:

We carefully configured the template as follows:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@"
Destination="@@Destination@@"
ID="@@ID@@"
IssueInstant="@@IssueInstant@@"
ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
</samlp:AuthnRequest>

But when we attempted to authenticate via the connection saml-xyz , we experienced an error. On closer inspection, it seems that the AssertionConsumerServiceURL placeholder was blank.

This is a sample request that was sent during login:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@" Destination="[https://saml2.saml-xyz.local/SamlIdP/AuthnRequestReceiver"](https://saml2.saml-xyz.local/SamlIdP/AuthnRequestReceiver)" ID="_ed7664daewqrqedsc073998d08862262c14b2bd75f" IssueInstant="2023-02-06T12:57:43Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Version="2.0"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:auth0:cust-billing-prod:saml-xyz</saml:Issuer> </samlp:AuthnRequest

Given that we have customized the SAML Request template, why doesn’t the AssertionConsumerServiceURL placeholder take on the value that we wish to assign to it?

Symptoms

Following the documentation, the value of AssertionConsumerServiceURL is defined as follows:

AssertionConsumerServiceURL The URL where the IdP sends the response after the user signs in. Include the ProtocolBinding attribute in the request template if you use this.

Variables can be placed into the AuthnRequest template using the @@VariableName@@ syntax.

However, in some circumstances, the AssertionConsumerServiceURL placeholder variable may be empty following an authentication attempt (see ‘Solution’ section below)

Solution

This is not an error. It is in fact the expected behaviour.

Whether or not the AssertionConsumerServiceURL placeholder value is expanded at runtime depends on whether or not you have chosen to sign SAML requests.

There are two possible options:

a) If requests are not signed, the only acceptable AssertionConsumerService URLs are the ones that have previously been shared with the IdP when the trust relationship was established. This means that there is no point in sending this URL in the SAML request.

b) If requests are signed, then the IdP can verify the request wasn’t tampered with and trust the ACS URL sent by the SP in the SAML request.

So in this particular case, look at your configuration settings for connection ‘saml-xyz’. Note that 'Sign SAML Request ’ is not enabled. As the requests are NOT being signed, this corresponds to option a) above. As a consequence, the AssertionConsumerServiceURL placeholder value will not be expanded in the template.