Hello,
I am working with my IT department to integrate Auth0 with their Shibboleth IdP SSO software. I am able to log in successfully using the “play” button in the list of SAML enterprise connections, but I get back no user attributes (all fields say “empty”). I spoke to my IT department and they told me that the requests from Auth0 they received are not correctly formatted for them to authorize attribute release, since they authorize attribute releaser by URL, and Auth0 sends the Entity ID “urn:auth0:myorg:conn” instead of a URL (I believe the correct URL would be “https://myorg.auth0.com/login/callback?connection=conn”). For example, in the following log from the Shibboleth IdP:
2018-04-02 08:01:56,824 - INFO [Shibboleth-Audit.SSO:241] - 20180402T120156Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_02fbcadddd306118bad2|urn:auth0:myorg:conn|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.myorg.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_42b9147051399b151d6b1fe3b91297bc|lab5|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQxSU7[...etc]|_9479917446bca8e9775ebf96c183de77|
The Shibboleth IdP expects a URL instead of “urn:auth0:myorg:conn”
Is it possible to configure Auth0 to send the URL directly this way?
Great question! For a connection named ext-saml-idp-a for example, the service provider Entity ID would be urn:auth0:{auth0_domain}:ext-saml-idp-a as you mentioned earlier (urn:auth0:myorg:con) so for the URL I believe it should be something like "https://{auth0_domain}.auth0.com/saml/ext-saml-idp-a". Let me double check on this.
Also, please note I did not mention earlier but when we make the patch for the options you’ll need to provide any pre-existing options (if any) since they’ll get cleared and would be an incorrectly configured connection at that point.