SAML Login Simultaneously Support Canonical and Custom Domains

Problem statement

Some Identity Providers can support configuring multiple ACS URLs. To minimize any reduction in service during a domain migration, is there a way to allow for a SAML connection to support login flows using both the custom domain and canonical domain?

Solution

If an application is performing a Service Provider (SP) initiated flow, the SAML Request template can be updated in the connection settings to send the appropriate ACS URL in the request.

This is useful for scenarios involving migrating to a custom domain, and being able to reflect either the canonical domain or custom domain in this URL, depending on how the login transaction was initiated. Auth0 will correctly set this URL based on the current context.

To do this, specify the AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@" attribute in the SAML request template to send the variable ACS URL.
image.png
Additionally, the ‘Sign Request’ toggle must be turned on in the connection settings for this to work.
image.png

Below is an example of how this request template would look:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
    AssertionConsumerServiceURL="@@AssertionConsumerServiceURL@@"
    Destination="@@Destination@@"
    ID="@@ID@@"
    IssueInstant="@@IssueInstant@@"
    ProtocolBinding="@@ProtocolBinding@@" Version="2.0">
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@@Issuer@@</saml:Issuer>
</samlp:AuthnRequest>

However, for Identity Provider (IdP) initiated flows, both the applications and the IdP must be updated at the same time to ensure that they use the same domain for the ACS URL.

Related References: