SAML Connection Login Error: "IdP-Initiated login is not enabled for connection \"CONNECTION_NAME\"

Problem statement

A SAML connection has been configured in a tenant. A normal Service Provider Initiated ( SP-Initiated ) login attempt is performed. However, the login fails and the following error is displayed:

"IdP-Initiated login is not enabled for connection "CONNECTION_NAME"

Explain the meaning of the error and how it can be fixed.

Symptoms

  • After authenticating with the SAML IdP the login will fail when returning to Auth0

Troubleshooting

  • Create a HAR file that captures the failed login flow. For further information, refer to Generated and Analyze HAR Files
  • Examine the contents of the HAR file to determine the point at which the login flow fails

Cause

The application is redirecting the user to the Auth0 tenant’s Canonical Domain:

{your-tenant}.{region}.auth0.com (e.g. example.eu.auth0.com )

However, the SAML connection is configured to send the SAML Response back to the Custom Domain that has been configured within the tenant. For further information, refer to Configure Features to use with Custom Domains

A standard SAML SP-initiated request requires that the login begins and ends on the same domain. When the login begins with the Canonical Domain but completes with a redirect to the Custom Domain, the SAML Response is no longer associated with the initial SAML Request made from the Canonical Domain.

Due to this lack of context, the SAML Response is considered IdP-initiated . Given that SAML connections are not configured by default to support this type of login flow, the resulting error is thrown:

"IdP-Initiated login is not enabled for connection "CONNECTION_NAME"

Solution

Update either the application or SAML IdP settings to use the Custom or Canonical Domain. This will vary according to the application and IdP configuration.

Related References