We are trying to use Auth0 as a SAML identity provider for using the RingCentral application as the SAML service provider. The SAML handshake is occurring, but RingCentral is rejecting the
SAML response from Auth0 SAML identity provider.
I created a ticket with Ring Central. They report that my configuration of Auth0 identity provider is not setting the RelayState parameter as needed. Can you tell me how to have Auth0 SAML identity provider to return the RelayState parameter required?
Kind regards,
Andy Bily
note: sent to RingCentral:
Single Signon integration between RingCentral -and- Auth0 via SAML - Ring Central Error
Hello, We’re trying to setup single signon integration between Ring Central and our Auth0 (division of Okta) single signon identity provider. We use Auth0 for other applications using SAML integration, and it works fine for us. With Ring Central integration, we’re getting an error: Error Unexpected Error Sorry for the inconvenience. Please contact your administrator to provide the reference number below in order to find the corresponding error. Reference number: fb9e4995-a12a-491a-a714-c698408cfaac
note from RingCentral:
Hello Andy,
Good day!
Apologies for the late response.
I have discussed this concern with our Engineers and they told me that you need to open a support case with Auth0. Because the RelayState parameter should be sent to the RIngCentral along with the SAML response, but now the Relay State is blank and authentication fails.
Regards,
Ed
RingCentral Integrations Support
The RealyState parameter is the final destination URL on the Service Provider side, once the user has authenticated against Auth0.
Does the issue happen during the SP initiated login? (Meaning the user first try to reach RingCentral app and as a result is redirected to Auth0 Login Page?)
Could you navigate to: Auth0 tenant->Applications -> RingCentral->Endpoints->SAML section-> SAML Sign In
and update the existing URL to contain the RealyState parameter (most likely this parameter takes the same value you have set for the Callback URL for this app) in this format:
https://[auth0domain].us.auth0.com/samlp/FdPxxxxxxxxxxxxxbVk?RelayState=[URL of the final destination on the Service Provider site (RingCentral)]
On the browser side, after URL-encoding the RelayState parameter, it will look like ths:
Can you please let me know if the issue persists when you copy and paste this URL along with relayState directly to the browser search bar? (this way you will initiate authentication flow)
Looking at auth0 tenants associated with your community email address, I was able to initiate the login flow for the tenant: platfxxxxx-gxxxxc-com.us.auth0.com and the following URL:
Were you able to move forward with your SAML integration?
I went ahead and also consulted our SAML engineering team - and the RelayState has to be provided by SP along with the request to the Identity Provider Login URL . The exact string (URL decoded) will be returned as RelayState with the SAML response.
Suppose the application has the Identity Provider Login URL: https://test.local.dev.auth0.com/samlp/3h9qAQsqC4H9Uhhj4MnYiq3kkaG2qPYe
If the request made to Auth0 is https://test.local.dev.auth0.com/samlp/3h9qAQsqC4H9Uhhj4MnYiq3kkaG2qPYe?RelayState=https%3A%2F%2Fsso.ringcentral.com%2Fsp%2FACS.saml2
My advice would be to try with the https://sso.ringcentral.com/sp/ACS.saml2 as the RelayState and have this URL set as the Allowed Callback URLs in your Auth0 tenant → Applications → ringcentral → Settings → Allowed Callback URLs.
Hope this helps! Your feedback would be appreciated!