Send a SAML Response that Includes the "AudienceRestriction" Tag when api.access.deny() Is Called

Overview

This article clarifies if it would be possible to send a SAML Response that includes the “AudienceRestriction” tag when Auth0 is an IdP and Salesforce is an SP.

To redirect a user to the custom error page (URL) on Salesforce, Salesforce requires a SAML Response that includes the “AudienceRestriction” tag. Please check out this link for more details.

The desired use case for which this article applies:

  • In Post Login Action, api.access.deny() is called if a user has a particular value in the app_metadata.
  • If api.access.deny() is called, the user should be redirected to the custom error page (URL) on Salesforce.

Applies To

  • Salesforce
  • api.access.deny()
  • Post Login Action

Solution

It is not possible. IdP sends a SAML Response that includes Assertion and the “AudienceRestriction” tag only when the authentication is succeeded. If api.access.deny() is called, and the authentication fails, IdP sends a SAML Response that does not include Assertion. This is standard practice and not Auth0-specific.

The only workaround would be not to call api.access.deny() and alter the value of the “AudienceRestriction” tag. Send the SAML Response with Assertion to Salesforce. Side effects for this cannot be thoroughly identified, but error handling should be implemented on Salesforce in order to block user access to the application.

To update the value of the “AudienceRestriction,” api.samlResponse.setAudience() can be used.

Related References