Auth0 Home Blog Docs

SAML 2.0 IDP: issuer problem

saml

#1

Hi, I am using Auth0 as a Identity Provider for an external SAML 2.0 Service Provider.

I got this error from the Service Provider: The SAML Response issuer is not the same entity to whom the corresponding request was sent.

Checking the SAML response the Auth0 generates in the http://samltool.io website, I saw Auth0 adds a LINE BREAK CHAR in the end of the issuer. I was wondering this could be the problem. Could you confirm?

I got this:

<saml:Issuer
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER
</saml:Issuer>

instead of this:

<saml:Issuer
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER</saml:Issuer>

#2

I believe that’s the doing of the tool, I just got a SAML assertion issued from Auth0 to a service provider and if I decode the assertion using just a Base64 decoder I see that the XML is all in a single-line with no line breaks.

The above seems to point the underlying root cause is something else entirely; I would recommend to check if the service provider as any sort of additional logging that could be used to obtain more information. In particular, finding which would be the issuer that the service provider was expecting or if there’s any other reason for throwing such an error.

For example, a Google search mentions that error here and the root cause has nothing to do with the SAML identity provider and more just a timeout imposed by the service provider.

has been reported that FIM 3.1.2 has issues handling authentication request that take longer then 5 minutes to complete. If a end user takes longer than this time to provide its credential, the authentication attempt will fail.
(…)
Unable to process the Response message, com.rsa.fim.exception.ProfileException: The SAML Response issuer is not the same entity to whom the corresponding request was sent


#3

Thanks for the help.

Well, the response is very fast, so I don’t believe this is a timeout thing. I also think it could be something related to special chars, but I removed them too but the error persists.
In the Assertion part of the XML, I got the issuer correct, without break lines:

    <saml:Issuer>MY_ISSUER_HERE</saml:Issuer>

But in the root node I got a LINE BREAK CHAR:

<saml:Issuer
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER_HERE
</saml:Issuer>

Instead of

<saml:Issuer
    xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">MY_ISSUER_HERE</saml:Issuer>

I was wondering, is that possible to strip/trim the issuer value in a Auth0 Rule tourgh a JavaScript code? Something like:

function (user, context, callback) {
    context.issuer = context.issuer.strip()
}

This could be a bug in the Auth0 systems. How can we discard this option?

Thanks again


#4