SSO SAML failing with Auth0 as Identity Provider - Missing RelayState in SAML response

Hello,

We are trying to use Auth0 as a SAML identity provider for using the RingCentral application as the SAML service provider. The SAML handshake is occurring, but RingCentral is rejecting the
SAML response from Auth0 SAML identity provider.

I created a ticket with Ring Central. They report that my configuration of Auth0 identity provider is not setting the RelayState parameter as needed. Can you tell me how to have Auth0 SAML identity provider to return the RelayState parameter required?

Kind regards,

Andy Bily

note: sent to RingCentral:
Single Signon integration between RingCentral -and- Auth0 via SAML - Ring Central Error
Hello, We’re trying to setup single signon integration between Ring Central and our Auth0 (division of Okta) single signon identity provider. We use Auth0 for other applications using SAML integration, and it works fine for us. With Ring Central integration, we’re getting an error: Error Unexpected Error Sorry for the inconvenience. Please contact your administrator to provide the reference number below in order to find the corresponding error. Reference number: fb9e4995-a12a-491a-a714-c698408cfaac

note from RingCentral:
Hello Andy,
Good day!
Apologies for the late response.
I have discussed this concern with our Engineers and they told me that you need to open a support case with Auth0. Because the RelayState parameter should be sent to the RIngCentral along with the SAML response, but now the Relay State is blank and authentication fails.
Regards,
Ed
RingCentral Integrations Support

Hi @ajbily , I will try to help with that.

The RealyState parameter is the final destination URL on the Service Provider side, once the user has authenticated against Auth0.

Does the issue happen during the SP initiated login? (Meaning the user first try to reach RingCentral app and as a result is redirected to Auth0 Login Page?)

Could you navigate to:
Auth0 tenant->Applications -> RingCentral->Endpoints->SAML section-> SAML Sign In

and update the existing URL to contain the RealyState parameter (most likely this parameter takes the same value you have set for the Callback URL for this app) in this format:

https://[auth0domain].us.auth0.com/samlp/FdPxxxxxxxxxxxxxbVk?RelayState=[URL of the final destination on the Service Provider site (RingCentral)]

On the browser side, after URL-encoding the RelayState parameter, it will look like ths:

Please let us know if it works for you!

Hi Marclina,

Thanks for the reply.

The URL doesn’t seem to be editable in the UI (I can copy the URL, but can’t seem to edit it). Thoughts?

Regards,

Andy

Hi Andy,

I will investigate this further.

Can you please let me know if the issue persists when you copy and paste this URL along with relayState directly to the browser search bar? (this way you will initiate authentication flow)

Hi Marcelina,

Here’s what I get when i paste the URL, including the RelayState into the browser:

Thank you!

And if you URL-encode the RealyState?

Looking at auth0 tenants associated with your community email address, I was able to initiate the login flow for the tenant: platfxxxxx-gxxxxc-com.us.auth0.com and the following URL:

https://platfxxxxx-gxxxxc-com.us.auth0.com/samlp/FdPBl4bWxxxxxxxxxxxxKbVk?RealyState=https%3A%2F%2Fsso.ringcentral.com%2Fsp%2FACS.saml2

For the RelayState I used this callback url (URL-encoded):

Could you try to test the login with this one?

Hi @ajbily !

Were you able to move forward with your SAML integration?

I went ahead and also consulted our SAML engineering team - and the RelayState has to be provided by SP along with the request to the Identity Provider Login URL . The exact string (URL decoded) will be returned as RelayState with the SAML response.

Suppose the application has the Identity Provider Login URL: https://test.local.dev.auth0.com/samlp/3h9qAQsqC4H9Uhhj4MnYiq3kkaG2qPYe
If the request made to Auth0 is
https://test.local.dev.auth0.com/samlp/3h9qAQsqC4H9Uhhj4MnYiq3kkaG2qPYe?RelayState=https%3A%2F%2Fsso.ringcentral.com%2Fsp%2FACS.saml2

The returned response will be

*SAMLResponse: <encoded string>
*RelayState: https://sso.ringcentral.com/sp/ACS.saml2*

My advice would be to try with the https://sso.ringcentral.com/sp/ACS.saml2 as the RelayState and have this URL set as the Allowed Callback URLs in your Auth0 tenant → Applications → ringcentral → Settings → Allowed Callback URLs.

Hope this helps! Your feedback would be appreciated!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.