I’m trying to integrate a PHP based app that already uses SimpleSAMLphp with other SAML2 IdPs.
When authenticating with our app as the SP and Auth0 as the IdP and roughly the following procedure for configuration:
- Sign up for https://manage.auth0.com
- Applications > Create Application
- Give it a name
- Choose “Regular Web App”
- Addons > Enable “SAML2 WEB APP”
- Set our SAML Assertion Consumer Service URL as the “Application Callback URL”
- Usage > Identity Provider Metadata > Download
- Convert xml metadata to php config for SimpleSAMLphp
We end up getting a response that’s got no
InResponseTo in the XML here:
This results in the response being processed as “unsolicited” (which I believe should only happen when the IdP initiated the auth - i.e not this case).
Trying to handle the unsolicited response we end up with SimpleSAMLphp effectively redirecting to the RelayState parameter as a path roughly here:
This results in a 404 - aside from the 404 the auth actually works correctly. As far as I can tell the RelayState is optional but is meant to be a URL so I wouldn’t mind understanding what’s going wrong here, but I think at this stage it’s more important to get the responses being “solicited” as that’s the more common case and I don’t think we can redirect back to a sensible place in the app without that.