OmniAuth Web App will not Communicate with SAML-Based IdP

Knowledge Solutions
, , , , , ,
1

Problem statement

When using a regular web using the Ruby-onRails SDK: by default, this includes omni-auth, a custom OmniAuth authentication strategy.

There is a requirement to implement IdP-initiated login via the SAML protocol. In this particular arrangement, Auth0 is configured as the SP and a 3rd party platform has been configured to serve as the IdP.

However, the login flow fails to complete.

Symptoms

The SAML login flow halts on the IdP side and a white screen is displayed.

Troubleshooting

  • The tenant logs may include a Failed Login ( f ) event, with an error description:

Unknown error from provider”.

This event will be associated with both the SAML connection and the web application.

  • Capture a HAR file of the login flow, as this may provide useful insights into where and how the flow is failing

Cause

A problem can arise in circumstances where:

  • OmniAuth does not by default have a SAML strategy
  • The 3rd party IdP supports SAML but has no support for OIDC

The SAML Authentication flow completes successfully but it then fails to reach the Ruby-based app because it relies on OmniAuth (OIDC-based).

  • This may manifest itself on the application backend, as an error of type ‘CSRF detected’. This may be explained by the fact that the application backend cannot identify a valid state, as it is not expecting a SAML response.
  • The OmniAuth library is designed to first call the start URL (GET/POST /auth0) and create a session state token and then in the callback URL (GET/POST auth0/callback), it checks that the session exists, based on this state token.
  • However, OmniAuth is expecting a response in JSON format, with various data based on provider strategy. It is not expecting a a SAML response, with the result that the login flow halts and a white screen is displayed.

Solution

Auth0 provides a way to bridge between Ruby (or other OIDC-dependant SDK) and a SAML-based IdP. This flow will translate an Identity Provider-Initiated (IdP) SAML response into an OpenID Connect (OIDC) response for an application.

Auth0 will output an OIDC response unless the “saml2 web addon” has been explicitly enabled (this is completely separate from setting up an external SAML IdP as a connection in Auth0).

For detailed information about implementing this function, refer to the document Configure IdP-Initiated SAML Sign-on to OIDC Apps.

Related References