I am trying to figure out if there is a way to integrate monday.com to an application. There is a social connection but I don’t want monday to be the IdP, I need it to be the service provider. I can see that this might work with an enterprise connection configuration but I am trying to reserve those for systems that have no other option. I may be trying something impossible but I want to confirm it before I have to try the enterprise connection route.
So what I have is the two systems configured with the proper endpoints and cert sharing. When the connection is tested from Monday, I receive the error:
“error”: {
“message”: “SAMLRequest message MUST be signed when using an asynchronous binding (POST or Redirect)”,
There is no option in the saml addon in the app to disable this requirement that I can find. I can also not enable this feature in the Monday system.
Is this possible? If not, why not? Why can’t we disable this requirement in our app level saml settings?
The error message that you are receiving is essentially a security measure from Monday.com which state that, in order to it to trust the request from your application, the request needs to be digitally signed to ensure that it has not been tampered with.
You are correct that within the SAML2 Web App addon there is no switch to disable the requirement for the certificate to be signed. This is because a connection that requires such specific SAML protocol settings for a third-party Service Provider was designated to be created as an Enterprise Connections.
While I do understand your use case and preference to complete the integration in a different way, the recommended approach would be the more robust one, and use an Enterprise Connection to Configure Auth0 as SAML Service Provider. Under this Connection type you are able toggle on/off the requirement to Sign the Request.
Depending on your current plan, it can also be possible to have additional Enterprise Connections available for you to fully support your requirements and ensure proper and reliable functionality.
If I create an enterprise connection to monday, this makes monday my IdP does it not? That doesn’t solve the problem where I am using Auth0 as my IdP and monday as a connected application. If I make monday an enterprise connection, then I can only use the connection to give access to different applications, not monday itself. From that perspective, it appears that Auth0 does not support SSO authentication into Monday as an application. Am I wrong in this asessment?
Opening a ticket with Monday and they appear to give conflicting statements to your assessment as they are not the ones requiring the signed request but Auth0 is, which is what I assumed based on the error log.
You’ve identified a known limitation: monday.com’s current SAML 2.0 configuration does not provide an option to sign the SAMLRequest message, which Auth0 requires for this specific use case.
Here’s what I’d recommend as next steps:
Contact Auth0 support to see if they can either:
Disable the requirement for signed SAMLRequest messages in your Auth0 configuration, or
Allow unsigned requests as an exception for your setup
Verify the SAML response signing is properly configured on our end to ensure Auth0 receives a signed response
Let us know the outcome from Auth0 if they confirm they require signed requests from the service provider. This would be valuable feedback for our product team regarding SAML signing capabilities
As of now, I don’t see a path forward without a change in one of the systems to make monday.com a valid application in the auth0 ecosystem.
I have read your message again and indeed the information that I provided are not suitable or correct for your case.
Let me know if you have already tested this, but what you might be looking for would be the following attributes that can be customized within the SAML assertion, using the SAML2 Web App add-on:
signResponse ( boolean ): Whether or not the SAML response should be signed. By default the SAML assertion will be signed, but not the SAML response. If true , SAML Response will be signed instead of SAML assertion.
signingCert (string): Optionally indicates the public key certificate used to validate SAML requests. If set, SAML requests will be required to be signed. A sample value would be “-----BEGIN CERTIFICATE-----\nMIIC8jCCAdqgAwIBAgIJObB6jmhG0QIEMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV\n[..all the other lines..]-----END CERTIFICATE-----\n” .
I will search for further information that could help with this and will provide an update in case other settings are available to obtain your desired flow. Please let me know if the above attributes helped you get things working, or if you encountered a different error message that we can look into.
The problem is the request being unsigned, not the response so those values do not apply for this specific scenario but those were already been set. Monday is not sending a signed request and the Auth0 app is requiring it. Able to turn it off in enterprise connections, just doesn’t make sense for this scenario.
I just read your response again and must have missed the signingCert presence forcing the requirement of signing requests. Once I removed this, it does seem to login correctly. I am getting a cert issue warning on Mondays side now but i will reach out to them to see if they have any further feedback.
Since they require a URL for the public cert, I am using the URL:
https://<custom_domain>.us.auth0.com/pem
If this is not correct, it would probably be the reason but I don’t know of any other public URL’s for this.