SAML Send URL instead of Entity ID

lab5 · April 2, 2018, 9:38pm

Hello,
I am working with my IT department to integrate Auth0 with their Shibboleth IdP SSO software. I am able to log in successfully using the “play” button in the list of SAML enterprise connections, but I get back no user attributes (all fields say “empty”). I spoke to my IT department and they told me that the requests from Auth0 they received are not correctly formatted for them to authorize attribute release, since they authorize attribute releaser by URL, and Auth0 sends the Entity ID “urn:auth0:myorg:conn” instead of a URL (I believe the correct URL would be “https://myorg.auth0.com/login/callback?connection=conn”). For example, in the following log from the Shibboleth IdP:

2018-04-02 08:01:56,824 - INFO [Shibboleth-Audit.SSO:241] - 20180402T120156Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_02fbcadddd306118bad2|urn:auth0:myorg:conn|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.myorg.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_42b9147051399b151d6b1fe3b91297bc|lab5|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQxSU7[...etc]|_9479917446bca8e9775ebf96c183de77|

The Shibboleth IdP expects a URL instead of “urn:auth0:myorg:conn”

Is it possible to configure Auth0 to send the URL directly this way?

Thank you

kimcodes · April 4, 2018, 2:25pm

@lab5 You should be able to set URLs for the entity ID if you cannot use URNs.

One way we can do this is could be to update the entity with the management API. You’ll need to patch the connection’s options, e.g.:

{
"options": {
    "entityId": "THE URL ENTITY ID",
    ...
},
...

Please let me know if this works for you!

lab5 · April 4, 2018, 4:52pm

Kim,

Thanks very much for your help. I was able to update the entity ID successfully using the API. One quick follow up question is: should I use the url “https://myorg.auth0.com/” or the url “https://myorg.auth0.com/login/callback?connection=myconn” as the URL entity ID?

Thanks,
Luke

kimcodes · April 4, 2018, 5:13pm

Great question! For a connection named ext-saml-idp-a for example, the service provider Entity ID would be urn:auth0:{auth0_domain}:ext-saml-idp-a as you mentioned earlier (urn:auth0:myorg:con) so for the URL I believe it should be something like "https://{auth0_domain}.auth0.com/saml/ext-saml-idp-a". Let me double check on this.

Also, please note I did not mention earlier but when we make the patch for the options you’ll need to provide any pre-existing options (if any) since they’ll get cleared and would be an incorrectly configured connection at that point.

Topic		Replies	Views
URL for SAML Issuer Entity ID instead of URN for single Application Get Help saml , auth0	0	4243	August 12, 2019
URN as entityId - Auth0 as Idp SAML Get Help saml , saml2 , idp	6	8072	December 3, 2024
Management API doesn't return connection entity ID Get Help management-api , connections-management-api	7	673	February 1, 2024
Migrate existing sso saml connections to auth0 Get Help login-experience , new-universal-login-experience	6	1093	April 14, 2026
Changing issuer in Auth0 SAML enterprise connection Get Help saml	5	3609	February 22, 2023

SAML Send URL instead of Entity ID

Related topics