I am trying to implement enterprise connections using SAML with Auth0 as a service provider. Currently, I have multiple clients who have already set up SSO in their applications with different IDPs, such as in:
Microsoft Azure → Enterprise Applications → Single Sign-On
There, they have specified a unique EntityID and Post-back URL. Currently, SimpleSAMLphp handles SSO in my application, and we want to migrate fully to Auth0.
I read that to set up Auth0 as a service provider with some IDPs using SAML, I need to provide an EntityID and a Post-back URL, as specified in the docs auth0 docs
The problem is that I cannot ask my clients to change their EntityID and Post-back URL in one day; I need to give them ample time to do so.
For now, what I do is create an enterprise connection in the Auth0 dashboard, provide the Sign In URL, Sign Out URL, and certificate. I also use a certificate from one of the existing IDPs and change the EntityID using the Management API to match the EntityID in the Microsoft IDP, using the PATCH method at /api/v2/connections/{id}.
However, I am unsure how to handle the Post-back URL that currently sends users directly to my frontend. Is there any workaround, or do I need to change the Post-back URL to what Auth0 requires, which is https://{yourDomain}/login/callback?connection={yourConnectionName}?
Perhaps after successful authentication in the IDP, there is a way to forward traffic along with the SAML assertion from the SimpleSAMLphp service provider to the Auth0 service provider?
Okay, I’ve taken some steps to redirect the SAML assertion from a custom service provider to the Auth0 service provider. The entire flow looks like this:
Auth0’s login form detects the SSO domain
Redirects to the identity provider (idp)
Then redirects to the custom service provider with the SAML assertion
After that custom service provider redirects to the Auth0 service provider with the SAML assertion.
Summary:
In the custom service provider, I retrieve the SAML assertion from the request and redirect to the Auth0 service provider with the SAML assertion.
However, there seems to be an issue as I can see the following error in the Auth0 logs:
“The InResponseTo attribute does not match the id in the AuthNRequest”
I have checked it, and the InResponseTo attribute is indeed the same as the id in the AuthNRequest.
Is it even possible to achieve what I want? Can I redirect the SAML assertion from the custom service provider to the Auth0 service provider?