Auth0 Home Blog Docs

SAML setup with Gooddata -- AUTH0 Identity Provider Login URL redirects to gooddata login page

saml

#1

I am trying to set up Auth0 as an Identity Provider for my SAML application service provider: GoodData.

GoodData utilizes the SAML protocol for exchanging information with Auth0, so I have gone through the following to configure Auth0 authentication for our GoodData organization:
https://auth0.com/docs/protocols/saml/saml-idp-generic#2-configure-auth0-as-idp

I have sent all required info to GoodData and their engineers have configured the GooData app as a Service Provider for Auth0.

However, after signing in on the Identity Provider Login URL below with a user that exists in Auth0, I am redirected to the GoodData login page and not logged into the gooddata app:

https://himssanalytics.auth0.com/samlp/psKyAvWjlyqdv0r950U8YNHCkib0P6Li

Are there further steps that need to be taken to configure the SAML setup beyond those in the SAML setup steps in the link above?


After fixing the initial URL error and logging in I am still redirected to the GoodData login page and not logged into the GoodData app.

GoodData also mentioned that they believe I have something configured incorrectly on the Auth0 side, they advised to make the following changes to the AUTH0 SAML setup:

Settings

{
"audience": "solutions.himssanalytics.org",
"recipient": "https://solutions.himssanalytics.org/gdc/account/samllogin",
"nameIdentifierFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
"nameIdentifierProbes": 
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
],
"signResponse": true
}

I went to Client settings -> SAML2 addon under my GoodData app to make these changes, but I don’t see any way to change those values, and under the SAML2 addon, I see the following:

“You need to configure your settings before being able to enable this addon.”

Is there somewhere that I can change those settings?


#2

The information provided is not enough to provide a definitive answer, however, since you mention that you sign-in correctly and are then redirected to an incorrect location; the login page instead of the application recognizing the SAML authenticated user you may want to check if you correctly configured the URL to which the SAML assertion should be sent to.

According to GoodData documentation, the SAML assertion should be sent to an URL similar to the following https://secure.gooddata.com/gdc/account/samllogin; it may be different if you have your own hostname.

You may want to confirm if you correctly configured the Auth0 SAML addon to use an Application Callback URL as stated in their documentation. If this does not prove to be the source of the issue you may need to include more information in the question.


#3

Thanks @jmangelo, I spoke with GoodData and you were right I had the wrong callback URL, I have updated that to the value they provided: https://solutions.himssanalytics.org/gdc/account/samllogin.


#4

Thanks @jmangelo, I spoke with GoodData and you were right I had the wrong callback URL, I have updated that to the value they provided: https://solutions.himssanalytics.org/gdc/account/samllogin.


#5

In relation to your update, the settings are edited in the screen of SAML 2.0 Addon by using the Javascript editor. By default all settings are commented, so you should uncomment the relevant ones and update their values.


#6

Yes! It works! Thanks @jmangelo !


#7

Yes! It works! Thanks @jmangelo !


#8

I just have a couple final questions on SAML 2 setup:

  1. I have created a Post User Registration hook that pushes new users to our GoodData app via API. In the list of hook user params, I don’t see an option to get the user’s current password – is there a way that I can access the user’s current password in a hook?

  2. Are there any future plans to add a “User Updated” Hook? For example, if we change a user’s email, the hook would fire?

  3. Is there a way to limit the Post User Registration hook to only run for certain users? For example, only run a hook for users that are associated to a given client (application)?

Thanks!


#9