Management API doesn't return connection entity ID

It seems the documentation is incorrect mentioning that the management API should return the entity ID of a connection with the following query while I tried with a few SAML connections and it doesn’t appear to be in the response:

Hi @sebastibe ,

Thank you for reporting!

Could you please first verify if this entityId value is available in your Auth0 tenant by going to: Authentication → Enterprise → your SAML connection → Setup → Common settings?

The value, if not customised, should be in format: urn:auth0:yourTenant:yourConnectionName

Hi @marcelina.barycka ,

In Setup, I only have this content:

I am the administrator, I follow the link which takes me to the documentation with no possibility to see or edit the value of entity ID.

Hi @sebastibe , thank you for this.

  1. To see the current value of entityID:

The link takes you to the documentation. In the right upper corner, please make sure you are logged in to the relevant Auth0 tenant:

For the part {yourConnectionName} please use the name you gave the connection once creating in your Auth0 tenant. This is your current entityID.

  1. To update the value of entityID of existing connection, please follow these steps:
    a) please run the GET request to Management API (as per documentation) and copy the “options” property form the response
    b) please add the “entityID” key value to the “options” property and run the PATCH request. In the request body, please include the entire “options” object.

Please let me know if you have any questions!

Hi @marcelina.barycka , thank you for confirming that there is no “Common Settings” page under “Setup” and that we need to follow the link toward the documentation. I could confirm the value of the entity ID in the documentation and configure it, however when login through SAML, the login error is “audience is invalid. Configured urn:auth0::” matching the one in the documentation.

Our understanding is that the audience is the Entity ID in the SAML configuration. This is why we wanted to confirm the entity ID by following:

You can obtain this value using the Get a Connection endpoint.

Which doesn’t returns any entityID in the “options” property.

Are we missing something? Maybe the audience referred in the error message is not related to the entity ID?

This kind of related to this post: SAMLResponse Audience is invalid

Except I am positive that the invalid value is exactly the one from the documentation matching the connection name and tenant name we are using. The only difference I could think of is that we are using a custom domain. This is why we were trying to confirm the exact entity ID value.

1 Like

Hi @sebastibe ,

Thank you for the broader context!

I made a quick test a set up a fake SAML connection and can confirm, that in a scenario of default entityID, it is not being returned by the GET Connection endpoint.

One thing to check on your end is if your SAML IdP require the audience to be in a URL format.
If so, you would have to update (PATCH) the connection by enriching the “options” property (where currently there is no entityID returned by the endpoint) with the “entityID”: “URL value”. So basically, copy the whole “options” property returned by the endpoint ad add to it the “entityID” in an expected by your IdP format.

"options": {
    "entityId": "THE URL ENTITY ID",

Please let us know if that helped!

Hi @marcelina.barycka ,

Thank you for the check and confirming that is not possible to obtain the entity ID value using the Get a Connection endpoint if it is the default value.

We confirmed that the issue was coming from a mismatch between the registered Entity ID on the IdP side and ours. Our misunderstanding came from the error message: “audience is invalid. Configured urn:auth0::<tenant_name>:<connection_name>" was actually referring to the configured value on our side, not the value they were trying to match configured on their side.

Having them use the actual default value solved the issue.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.