Auth0 Home Blog Docs

SAML login, invalid_token for SPA application

saml
spa
samlp
service-provider

#1
  • What are you trying to achieve? What is the use case or idea behind it?
    Trying to connect SAML accounts to our SPA application with Auth0 as SP

I am using the setup described here for SPA, https://auth0.com/docs/quickstart/spa/vuejs/01-login

And I have configured the SAML connection using the guide here

I do get a successful connection when I click the “Try” button on the SAML connection, and the received user data looks ok. And the user show up in the Auth0 user list.

But I am unable to login to my application. I am testing this using the “Sign in as user” functionality for the SAML user.

I am getting

{error: "invalid_token", errorDescription: "`state` does not match."}error: "invalid_token"errorDescription: "`state` does not match."__proto__: Object

I see similar issue here Strange access token returned by SAML

but I have not been able to solve it from that discussion.

I tried following the troubleshooting guide here https://auth0.com/docs/protocols/saml/saml-configuration/troubleshoot/auth0-as-sp#issue-the-user-cannot-access-the-application

I am unable to do assertion analysis with HAR, because the login fails before the POST back to the application, so the HAR does not seem to contain any relevant information.

Could this be the missing audience parameter? I do not have any entry for “Query string” under “IdP-Initiated SSO” for the SAML connection config. I am not sure what I should put there, if anything.


#2

There are a couple of things to note here, in particular, the way you’re testing (through the sign in as user option) implies you’re using the impersonation feature which won’t work by default as the client application library is performing a state validation that the impersonation feature is unable to provide (see https://github.com/auth0/auth0.js/issues/683). In addition, this being a SAML connection it can also make use of the IdP-Initiated flow, however, that also implies a similar flow.

If you don’t have a real requirement to support impersonation or IdP-Initiated flows then the simplest thing to do would be to not use them for testing purposes and confirm that the SAML connection is working as expected by initiating an authentication request from the Vue.js client application itself. The quickstart you linked to makes use of the hosted login page so if you configured the SAML connection with Email domains and you’re using the default hosted login page (Lock) then if you enter an email address associated with that SAML connection Lock will recognize this and use that connection to authenticate the end-user.


#3

Thanks for the response! I was not aware that the impersonation was not available by default. I have now added the email domain and was able to get successful SAML login when entering my SAML user email in the lock view.

Followup question to this. What if we can not list all relevant email domains? Our SAML identity provider has identities from a wide range of domains. Is it possible to have a “Log in with SAML” button with arbitrary email domains, instead of having the lock automatically recognize the email domains?

Is this when you need the “SAML2 Web App” addon? I do not really understand what that addon provides in addition to the existing SAML connection that I have already configured. It is for client specific configuration, where as the SAML connection is global for the entire tenant?