Auth0 Home Blog Docs

Some questions of SAML SSO tutorial document

Hi all,

I try to follow instructions in tutorial

At step 9, I can log in without providing the password.
But the result shows https://jwt.io/#error=access_denied&error_description=Service%20not%20found%3A%20https%3A%2F%2Fyour-audience.com&state=*****

Does this error message mean that I have something wrong in the setting steps? Or just because I do not setup “your-audience.com” to my own service (which in my case is elastic cloud)

Any suggestions will be appreciated, thanks a lot !

In addition, if there is any information about how to setup SAML SSO for elastic cloud, please let me know.

Hey there @han.shih and welcome to the Auth0 Community!

Can you share screenshots or any additional log information when you encounter the error? When you get a chance can you send over your tenant name that you’ve been building out the tutorial with? Thanks in advance!

First, I create a user in my IDP tenant

and set the domain to “abc-example.com

then open the “hello_saml.html”, I get this

Here is the point.
No matter what I input, as long as the account format meets XXX@abc-example.com ,
I can log in without entering a password.

Then the webpage redirect to something like


Please let me know if you need further information, thanks!

Can you please direct message me the tenant name when you get a chance @han.shih? Thanks!

I wanted to follow up @han.shih after I spoke with one of our senior team members with what you’re facing.

You may have set by accident the wrong audience in step 4.6 on https://auth0.com/docs/protocols/saml/samlsso-auth0-to-auth0, based on the error message you initially provided in the original post.

The audience should be an URN, i.e. looks something like this:

{
  "audience": "urn:example:SAML-Auth0-IDP"
}

Where example is the tenant name, and SAML-Auth0-IDP is the connection name for the SAML connection.

When you get a chance can you give this a look? Thanks!

Hi James,

Thanks for your reply.

Below is my settings

I can not figure out what the mistakes I possibly make to cause this error.

Any suggestion will be appreciated, thanks !!!

This audience named https://your-audience.com that is mentioned in the error message: do you have an idea where this is coming from? Where in the configuration do you have this set?

The “https://your-audience.com” is from step 8 of https://auth0.com/docs/protocols/saml/samlsso-auth0-to-auth0

And the tutorial does not mention in detail about what should I use to replace that string.

Do you mean that I should set that string to my service provider’s (elastic cloud, in my case) URL?? (metadata url, callback url ? I am not sure)

I see. Can you just remove this audience line in the script, or comment it out, and try again.

(Or alternatively, create an API under Auth0 Dashboard > APIs, where you set the the API identifier to https://your-audience.com, but I would just comment the line out).

Thanks for your reply.

After I remove that line, I get this

It shows “invalid signature”

Is it the ‘right’ thing to show up?

In addition, can I use the IDP & SP I create based on the tutorial to create a SAML SSO for my elastic cloud? (what I want to do is: signin with the SP on Auth0, then I can reach kibana dashboard without another signin)

Ok, I see. The token that’s in your screenshot is an opaque string, not a JWT.
Sorry, I forgot that if we want to get a JWT (because in the example/tutorial, it’s sent to JWT to checkout the token afterwards), we do need the audience parameter.

Therefore, please follow the second advice, and add it back to the call:

Create an API under Auth0 Dashboard > APIs , where you set the the API identifier to https://your-audience.com

If you run it again, you should then get a proper JWT after authentication which should show properly on jwt.io.


Regarding this:

signin with the SP on Auth0, then I can reach kibana dashboard without another signin

Yes, Kibana supports SAML, so that should be no problem.
I found this blog post:

In this case, Auth0 only acts as the SAML IdP, while Kibana is the SP. You’d need to configure Kibana then accordingly. This means, you would just follow the steps to configure Auth0 as IdP, not as SP, which is described here: https://auth0.com/docs/protocols/saml/saml-configuration/auth0-as-identity-provider#manually-configure-a-sso-integration under “Manual Configure a SSO Integration”.

2 Likes

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.