Problem statement
We have been running with Auth0 acting as a SAML service provider in production for a few months with no issues. The IdP is Okta, and the Auth0 connection is called “okta-saml” in our tenant. Users log in through the web application and are redirected to Okta by Auth0. We never perform “IdP initiated login” and thus have disabled this option.
We are now integrating with a partner application using SAML, and we want to use Auth0 as our IdP. Our SAML integration with this partner is SP initiated : a button in the partner application redirects the user to Auth0, the universal login page is used and the user can choose between a database connection or the Okta SAML connection.
When using the database connection, the SAML handshake works, but when using Okta, authentication fails with this error : ‘IdP-Initiated login is not enabled for connection “okta-saml”.’
What is curious, and which suggest a bug in Auth0, is that there is no IdP initiated login, it’s still SP-initiated, just like in the case of the database connection. This suggest to me that there might be a bug when using Auth0 as both a SAML SP and IdP.
Solution
Ensure that the custom domain is configured and used at both the start of the login process and the same domain is returned to upon callback from the IdP.