SAML Error: NameQualifier

Problem statement

We are testing an inbound IDP-initiated SAML from our vendor and get the error:

access_denied: NameQualifier attribute in the NameID element does not match https://shorew-test.redata.com/ms/SAML?MS_CONTEXT=SW_LEADINGRE_SAML.

This is an Enterprise SAML connection.

Solution

There are two paths we can take to resolve this issue.

  1. Depending on the Identity Provider, it may be possible for your vendor to amend the NameQualifier in the SAML assertion to ensure it matches their EntityID. This would require change on their end and may not be possible depending on their exact configuration.

  2. We do have an option to disable this validation for an individual connection. To do this, you need to use the Auth0 Management API to update the individual connection and set the “checkNameQualifier” parameter to false. Please reference below doc:
    Auth0 Management API v2
    Below is an example of the body structure of such a request:

{
  "options": {
      ...place existing options here to ensure they are not overwritten
      checkNameQualifier: false
   }
}

By setting this property to false, the NameQualifier validation will be disabled for this individual connection, and the SAML exchange should work.