Auth0 Home Blog Docs

Missing "InResponseTo" with SP initiated SSO to Auth0 IdP SAML

I’m trying to integrate a PHP based app that already uses SimpleSAMLphp with other SAML2 IdPs.

When authenticating with our app as the SP and Auth0 as the IdP and roughly the following procedure for configuration:

  1. Sign up for https://manage.auth0.com
  2. Applications > Create Application
  3. Give it a name
  4. Choose “Regular Web App”
  5. Addons > Enable “SAML2 WEB APP”
  6. Set our SAML Assertion Consumer Service URL as the “Application Callback URL”
  7. Usage > Identity Provider Metadata > Download
  8. Convert xml metadata to php config for SimpleSAMLphp

We end up getting a response that’s got no InResponseTo in the XML here:

This results in the response being processed as “unsolicited” (which I believe should only happen when the IdP initiated the auth - i.e not this case).

Trying to handle the unsolicited response we end up with SimpleSAMLphp effectively redirecting to the RelayState parameter as a path roughly here:

This results in a 404 - aside from the 404 the auth actually works correctly. As far as I can tell the RelayState is optional but is meant to be a URL so I wouldn’t mind understanding what’s going wrong here, but I think at this stage it’s more important to get the responses being “solicited” as that’s the more common case and I don’t think we can redirect back to a sensible place in the app without that.

Hey there @neerolyte, I’d love to help you track this down. When you get a free minute can you DM me your tenant name please so we can continue to investigate what may be occurring? Thanks in advance!

I’ve PM’d you @James.Morrison, thanks but I’ll also share here that I’ve since set up an independent install of SimpleSAMLphp as a SP and it works fine (even with the unsolicited SAMLResponse) - so it’s something weird about how we’re embedding the code in our app.

I’ll keep trying to track down where the process differs between the embedded and stand alone version for now.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.