I have a third party IdP that will have a link to my ReactJS app on their dashboard. Authentication occurs when the user logins into the third party’s website. Third party only communicates via SAML. For my proof of concept I am using Okta as the IdP.
I am using Auth0 as an intermediary to convert the SAML response to OIDC. My Enterprise Connection has the certificate from the IdP.
When I attempt to get to my ReactJS app, I get the Auth0 login page, so there is a disconnect between my IdP and Auth0. An example of the link being used by the IdP dashboard is: https://xxxxxxxx.auth0.com/samlp/{client id from my application in Auth0 here}?connection=MySAML
I am unsure as to how to connect the IdP to Auth0. I have read through the documentation and did not find anything to clarify this. Any insights would be appreciated!
You’ll need to look at setting up an Enterprise Connection. Since you are using Okta SAML IdP, you should be able to follow the instructions here to get this set up -
When the call is made to the authoize endpoint from the app, including the connection parameter will direct the users straight to the Idp rather than seeing the Auth0 login prompt.
I decided to do the test using Auth0 as both IdP and SP.
When I perform the test from the IdP, I get the “It Works” page, and I see the user information I entered in the IdP.
When I perform the test from the SP, I get the “It Works” page, and I see the user email I entered in the IdP in the decoded SAML response.
I set up the HTML test. I entered:
domain: ‘SP-TENANT.us.auth0.com’,
clientID: ‘ClientID of Application in SP’,
When I click Login on the HTML page, I get:
302 GET Request to my SP tenant
200 GET Request to my SP tenant - this gives me a login page to the SP tenant, Regular Web Application I set up
I enter my credentials from the user in the IdP tenant, and I get “Wrong email or password”
The trace indicates a 400 POST to my SP tenant
One thing I did notice - when I executed my second test above, I see that the account successfully logged in on both tenants. I can’t determine why we don’t get the token passed to jwt.io.