Some questions of SAML SSO tutorial document

Hi all,

I try to follow instructions in tutorial

At step 9, I can log in without providing the password.
But the result shows JSON Web Tokens -*****

Does this error message mean that I have something wrong in the setting steps? Or just because I do not setup “” to my own service (which in my case is elastic cloud)

Any suggestions will be appreciated, thanks a lot !

In addition, if there is any information about how to setup SAML SSO for elastic cloud, please let me know.

Hey there @han.shih and welcome to the Auth0 Community!

Can you share screenshots or any additional log information when you encounter the error? When you get a chance can you send over your tenant name that you’ve been building out the tutorial with? Thanks in advance!

First, I create a user in my IDP tenant

and set the domain to “

then open the “hello_saml.html”, I get this

Here is the point.
No matter what I input, as long as the account format meets ,
I can log in without entering a password.

Then the webpage redirect to something like

Please let me know if you need further information, thanks!

Can you please direct message me the tenant name when you get a chance @han.shih? Thanks!

I wanted to follow up @han.shih after I spoke with one of our senior team members with what you’re facing.

You may have set by accident the wrong audience in step 4.6 on Test SAML SSO with Auth0 as Service Provider and Identity Provider, based on the error message you initially provided in the original post.

The audience should be an URN, i.e. looks something like this:

  "audience": "urn:example:SAML-Auth0-IDP"

Where example is the tenant name, and SAML-Auth0-IDP is the connection name for the SAML connection.

When you get a chance can you give this a look? Thanks!

Hi James,

Thanks for your reply.

Below is my settings

I can not figure out what the mistakes I possibly make to cause this error.

Any suggestion will be appreciated, thanks !!!

This audience named that is mentioned in the error message: do you have an idea where this is coming from? Where in the configuration do you have this set?

The “” is from step 8 of Test SAML SSO with Auth0 as Service Provider and Identity Provider

And the tutorial does not mention in detail about what should I use to replace that string.

Do you mean that I should set that string to my service provider’s (elastic cloud, in my case) URL?? (metadata url, callback url ? I am not sure)

I see. Can you just remove this audience line in the script, or comment it out, and try again.

(Or alternatively, create an API under Auth0 Dashboard > APIs, where you set the the API identifier to, but I would just comment the line out).

Thanks for your reply.

After I remove that line, I get this

It shows “invalid signature”

Is it the ‘right’ thing to show up?

In addition, can I use the IDP & SP I create based on the tutorial to create a SAML SSO for my elastic cloud? (what I want to do is: signin with the SP on Auth0, then I can reach kibana dashboard without another signin)

Ok, I see. The token that’s in your screenshot is an opaque string, not a JWT.
Sorry, I forgot that if we want to get a JWT (because in the example/tutorial, it’s sent to JWT to checkout the token afterwards), we do need the audience parameter.

Therefore, please follow the second advice, and add it back to the call:

Create an API under Auth0 Dashboard > APIs , where you set the the API identifier to

If you run it again, you should then get a proper JWT after authentication which should show properly on

Regarding this:

signin with the SP on Auth0, then I can reach kibana dashboard without another signin

Yes, Kibana supports SAML, so that should be no problem.
I found this blog post:

In this case, Auth0 only acts as the SAML IdP, while Kibana is the SP. You’d need to configure Kibana then accordingly. This means, you would just follow the steps to configure Auth0 as IdP, not as SP, which is described here: Configure Auth0 as SAML Identity Provider under “Manual Configure a SSO Integration”.


This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.