Setting up Auth0 as a SAML 2 provider

Hi there.

Our platform uses Auth0 as the authentication provider. We are looking to bundle some other services with our tool and allow people to log into those other systems using their login in our platform.

To do this we are attempting to configure Auth0 as a SMAL2 provider. The other tools we are trying to bundle all support SSO via SAML2.

So we are off to a good start. So far, on paper, everything checks out.

The first system I’ve tried to connect uses Okta as THEIR authentication system. Following along with their technical guides I’ve setup a new Application within Auth0 and enabled the SAML 2 plugin. I seem to have it half configured.

This is what happens when I test it …

  1. Go to other system’s login page.
  2. Click on SSO button. I get redirected to the Auth0 login page for the application I configured (so far so good).
  3. Login with Auth0. Success. I get redirected BACK to the other tool (so far so good)
  4. The other tool doesn’t recognize me as being logged in and I get stuck in a circle.

The other system wants the “name ID” to be the emailaddress. I appear to have all of that configured properly.

I’ve double checked all the certificates. I’m fairly confident those are all right.

I’m semi-confident Auth is redirecting me back to the correct URL.

But something isn’t quite right and I don’t have any diagnostics to see what isn’t right. The other tool doesn’t present a diagnostic log, so I can’t tell what it is receiving.

Is there someone in Auth0 I can see what is happening on this end?

Any advice for how to troubleshoot this? I feel like I am super close.

Hey @jason.glover Welcome to the Auth0 Community!

If you are using Auth0 as the IDP you can set the nameIdentifierProbes in the Application SAML Addon settings to be email address.

By default as mentioned in the add on its mapped like this:

* **nameIdentifierProbes (Array):** Auth0 will try each of the attributes of this array in order. If one of them has a value, it will use that for the Subject/NameID. The order is: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier(mapped from user_id), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress(mapped from email), http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name (mapped from name).

So it will give user_id as the preference.

You can remove both user_id, name and just keep email, so it will map the name ID with email.

Something like this:
nameIdentifierProbes: ["http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

You can always validate this by checking the SAML response returned by Auth0 in a HAR file

Copy the SAML response from the HAR file and decode it in:

Let me know if this helps!

Regards,
Sid