Migrate existing sso saml connections to auth0

Hello

I am trying to implement enterprise connections using SAML with Auth0 as a service provider. Currently, I have multiple clients who have already set up SSO in their applications with different IDPs, such as in:

Microsoft Azure → Enterprise Applications → Single Sign-On

There, they have specified a unique EntityID and Post-back URL. Currently, SimpleSAMLphp handles SSO in my application, and we want to migrate fully to Auth0.

I read that to set up Auth0 as a service provider with some IDPs using SAML, I need to provide an EntityID and a Post-back URL, as specified in the docs auth0 docs

The problem is that I cannot ask my clients to change their EntityID and Post-back URL in one day; I need to give them ample time to do so.

For now, what I do is create an enterprise connection in the Auth0 dashboard, provide the Sign In URL, Sign Out URL, and certificate. I also use a certificate from one of the existing IDPs and change the EntityID using the Management API to match the EntityID in the Microsoft IDP, using the PATCH method at /api/v2/connections/{id}.

However, I am unsure how to handle the Post-back URL that currently sends users directly to my frontend. Is there any workaround, or do I need to change the Post-back URL to what Auth0 requires, which is https://{yourDomain}/login/callback?connection={yourConnectionName}?

Perhaps after successful authentication in the IDP, there is a way to forward traffic along with the SAML assertion from the SimpleSAMLphp service provider to the Auth0 service provider?

Okay, I’ve taken some steps to redirect the SAML assertion from a custom service provider to the Auth0 service provider. The entire flow looks like this:

  • Auth0’s login form detects the SSO domain
  • Redirects to the identity provider (idp)
  • Then redirects to the custom service provider with the SAML assertion
  • After that custom service provider redirects to the Auth0 service provider with the SAML assertion.

Summary:

  • In the custom service provider, I retrieve the SAML assertion from the request and redirect to the Auth0 service provider with the SAML assertion.

However, there seems to be an issue as I can see the following error in the Auth0 logs:
“The InResponseTo attribute does not match the id in the AuthNRequest”
I have checked it, and the InResponseTo attribute is indeed the same as the id in the AuthNRequest.

Is it even possible to achieve what I want? Can I redirect the SAML assertion from the custom service provider to the Auth0 service provider?

Okay i redirect the SAML assertion from external service to auth0 but now i am getting this error:

Destination endpoint https://sub1.domain.com/login/index.php did not match https://sub2.domain.com/login/callback?connection=auth0ConnectionName

Can i somehow fix it?

Another idea: can I somehow whitelist the ACS URL https://sub1.domain.com/login/index.php, so that Auth0 will not complain about:

Destination endpoint https://sub1.domain.com/login/index.php did not match https://sub2.domain.com/login/callback?connection=auth0ConnectionName