Auth0 Home Blog Docs

SAML Send URL instead of Entity ID

saml

#1

Hello,
I am working with my IT department to integrate Auth0 with their Shibboleth IdP SSO software. I am able to log in successfully using the “play” button in the list of SAML enterprise connections, but I get back no user attributes (all fields say “empty”). I spoke to my IT department and they told me that the requests from Auth0 they received are not correctly formatted for them to authorize attribute release, since they authorize attribute releaser by URL, and Auth0 sends the Entity ID “urn:auth0:myorg:conn” instead of a URL (I believe the correct URL would be “https://myorg.auth0.com/login/callback?connection=conn”). For example, in the following log from the Shibboleth IdP:

2018-04-02 08:01:56,824 - INFO [Shibboleth-Audit.SSO:241] - 20180402T120156Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_02fbcadddd306118bad2|urn:auth0:myorg:conn|http://shibboleth.net/ns/profiles/saml2/sso/browser|https://idp.myorg.edu/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_42b9147051399b151d6b1fe3b91297bc|lab5|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport||AAdzZWNyZXQxSU7[...etc]|_9479917446bca8e9775ebf96c183de77|

The Shibboleth IdP expects a URL instead of “urn:auth0:myorg:conn”

Is it possible to configure Auth0 to send the URL directly this way?

Thank you


#3

:wave: @lab5 You should be able to set URLs for the entity ID if you cannot use URNs.

One way we can do this is could be to update the entity with the management API. You’ll need to patch the connection’s options, e.g.:

{
"options": {
    "entityId": "THE URL ENTITY ID",
    ...
},
...

Please let me know if this works for you!


#4

Kim,

Thanks very much for your help. I was able to update the entity ID successfully using the API. One quick follow up question is: should I use the url “https://myorg.auth0.com/” or the url “https://myorg.auth0.com/login/callback?connection=myconn” as the URL entity ID?

Thanks,
Luke


#5

Great question! For a connection named ext-saml-idp-a for example, the service provider Entity ID would be urn:auth0:{auth0_domain}:ext-saml-idp-a as you mentioned earlier (urn:auth0:myorg:con) so for the URL I believe it should be something like "https://{auth0_domain}.auth0.com/saml/ext-saml-idp-a". Let me double check on this.

Also, please note I did not mention earlier but when we make the patch for the options you’ll need to provide any pre-existing options (if any) since they’ll get cleared and would be an incorrectly configured connection at that point.


#6

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.