SSO - IdP Initiated Flow - Okta to Auth0

rbn · August 31, 2023, 3:03pm

Hello!

My scenario:

I am working on a proof of concept

I have a third party IdP that will have a link to my ReactJS app on their dashboard. Authentication occurs when the user logins into the third party’s website. Third party only communicates via SAML. For my proof of concept I am using Okta as the IdP.
I am using Auth0 as an intermediary to convert the SAML response to OIDC. My Enterprise Connection has the certificate from the IdP.
When I attempt to get to my ReactJS app, I get the Auth0 login page, so there is a disconnect between my IdP and Auth0. An example of the link being used by the IdP dashboard is:
https://xxxxxxxx.auth0.com/samlp/{client id from my application in Auth0 here}?connection=MySAML

I am unsure as to how to connect the IdP to Auth0. I have read through the documentation and did not find anything to clarify this. Any insights would be appreciated!

nathan.jenkins · August 31, 2023, 7:43pm

Hey @rbn , welcome to the Auth0 Community!

You’ll need to look at setting up an Enterprise Connection. Since you are using Okta SAML IdP, you should be able to follow the instructions here to get this set up -

Configure Okta as SAML Identity Provider

When the call is made to the authoize endpoint from the app, including the connection parameter will direct the users straight to the Idp rather than seeing the Auth0 login prompt.

If it is just any SAML IdP you need for the POC, you can do the test using both Auth0 as SP and IdP instructions are here.

Hope this helps!

rbn · September 3, 2023, 4:08pm

Hi Nathan,

Thanks for your help, I really appreciate it!

I decided to do the test using Auth0 as both IdP and SP.
When I perform the test from the IdP, I get the “It Works” page, and I see the user information I entered in the IdP.
When I perform the test from the SP, I get the “It Works” page, and I see the user email I entered in the IdP in the decoded SAML response.
I set up the HTML test. I entered:
domain: ‘SP-TENANT.us.auth0.com’,
clientID: ‘ClientID of Application in SP’,

When I click Login on the HTML page, I get:
302 GET Request to my SP tenant
200 GET Request to my SP tenant - this gives me a login page to the SP tenant, Regular Web Application I set up
I enter my credentials from the user in the IdP tenant, and I get “Wrong email or password”
The trace indicates a 400 POST to my SP tenant

As a separate test, I called the URL:
https://MY-IDP-TENANT.us.auth0.com/samlp/CLIENTID-IN-MY-IDP
(I needed to enable IdP-Initiated SSO)

I get routed to JWT.IO:
JSON Web Tokens - jwt.io
The expected token for my IdP user is not passed/displayed.

Any thoughts would be appreciated - Thank you very much!

rbn · September 4, 2023, 1:48pm

One thing I did notice - when I executed my second test above, I see that the account successfully logged in on both tenants. I can’t determine why we don’t get the token passed to jwt.io.

rbn · September 5, 2023, 8:17pm

Some additional info: JWT.IO receives:
/?code={45 character alphanumeric string)

rbn · September 6, 2023, 9:37pm

It turns out the setting I was missing was:
response_type=token id_token

which needed to be added to the Enterprise Connection (in the SP) under IdP-Initiated SSO | Query String