SAML SSO with CyberArk as IdP

Hi!

I’m working on a web platform that uses Auth0 for authentication.

We’re trying to set up a SAML connection between Auth0 and CyberArk where CyberArk is the identity provider and Auth0 is the service provider.
This should allow users from a different company that uses CyberArk to login to our platform.

I tried to follow the link below from the docs, but can’t get the connection working.

I’m mainly confused about what to put in the CyberArk side.
It allow me to either upload a metadata XML-file (which I can’t seem to find in Auth0) or provide the values manually, which I currently filled in like this:

  • SP entity ID / issues / audience:
    urn:auth0:< tenant >:< connection>

  • Assertion consumer service (ACS) URL:
    https://< tenant >.eu.auth0.com/p/samlp/< string >

  • Recipient:
    checked “same as ACS URL”

  • Sign response or assertion:
    selected “Response”

  • NameId format:
    selected “unspecified”

  • Single logout URL:
    blank

  • Encrypt SAML response assertion:
    not checked

Screenshot for some more context:

Now when we click the SSO-button on the other platform, the user ends up on the ACS URL, and sees some kind of certificate on the screen.

When I put the ACS URL in my browser directly, I don’t see the certificate but I’m redirect to the SAML Identity Provider Configuration Settings documentation instead, so I’m guessing some authorization does happen when clicking the SSO-link?

I don’t see the IdP user in the Auth0 users list though, while I was expecting this user to automatically be created on the SP side?

There’s a lot of documentation of using Auth0 as IdP but to set it as SP, there’s not a lot information it seems. So does anyone know which values I need to use to get it working?

Kind regards

Hi @LoposEnzo,

Welcome to the Auth0 Community!

It looks like you may have misconfigured the Assertion Consumer Server URL (Post-back URL). This should be in the following format:

https://{yourDomain}/login/callback?connection={yourConnectionName}

Then you should be able test a SP-Initiated flow with this connection using the Try button next to the name of the connection.

Hello @eric.culley

Thanks for the help!

I changed the ACS URL on the IdP side and enabled IdP-initiated SSO, and now I’m redirected from the IdP to the Auth0 login page.
I’m expecting the login page to be bypassed when SAML is set up correctly?
The query string does contain a “state” parameter though.

The documentation also notes I should see a successful login event in the Auth0 logs, but I’m not seeing any logs regarding SAML.
Does this indicate anything?