Static RelayState for SAML Application in Auth0 - IdP Initiated

Hi

I have what I thought was a simple issue that I’m struggling to address. I’m hoping I’m missing something obvious here.

My setup is a single applicaton in Auth0 that is configured for SAML. Works fine for SP initiated.

Customer also has an OIDC Enterprise connection enabled, which acts as a dashboard. The dashboard will have an app tile that contains the URL for the SAML application in Auth0, along with the connection parameter to ensure that all users are sent to the IdP to authenticate. The Auth0 authentication challenge should not be seen by customers.

So OIDC Enterprise connection. SSO to app via SAML.

What Works
For SP init, SAML app sends a RelayState which Auth0 returns in the SAML response after authentication via the IdP ( or standard Auth0 database connection ). All good, but this isn’t the required user journey which will be IdP initiated.

What Doesn’t Work
When the user journey starts at the IdP ( dashboard ) the applicaiton tile has the Auth0 SAML Application Login URL from the SAML application associated. That should trigger a request for the SAML application, using the IdP connector and result in the user authenticating to Auth0 and a SAML response being sent to the SAML application. However, the RelayState parameter sent to the SAML application along with the SAML response is blank and authentication fails. The app support team have provided a static value for the SAML RelayState parameter when access is IdP initiated but I cannot find anywhere I can configure that in the applicaiton in Auth0.

Other Options
I can make the dashboard link to the app trigger an SP init flow, but that means I can’t provide the connection parameter, and the users will see the Auth0 UI.

I considered Actions, but I can only decorate the SAML token, not determine that a RelayState parameter is sent with the SAML response to the target SAML application. I can’t see a way to add a parameter to the body of the POST request when the SAML response is sent. API object allows for setting alot of SAML related functions, but not RelayState

Outstanding Question
How do I set a static value for the RelayState parameter that is returned to a SAML application when the access is IdP initiated ?

Hi Everyone. It’s looking like this isn’t actually doable. Spent some more time looking around. In pretty much any other IdP, there’s a SAML configuration called Default Relay State that you can assign to a static value. It’s a very IdP init use case, which is not Auth0 focus as there is no OOB dashboard ( for example ) but I just need to provide a value to a parameter that Auth0 is already sending. Just…can’t…get…to it.

Hi, I saw this post which seems to be indicating a possible way to do what you want. Does this work for you? I’m evaluating the platform and haven’t been able to try anything out yet.

Hi, @dan.woda and Auth0 team.

Please, is there any recommendation on how to update the RelayState to a static value?

Thanks

Hi Guilherme. I had to work around this. There is no way to provide a static Relay State in Auth0.

What I did in the end is in the application dashboard the customer users, the link to the application is actually a custom link that triggers SP init SSO to the target application. In the target application, I curated the SAML metadata so that the ACS URL has the enterprise connection appended as a parameter. As the reques is SP init, the RelayState is set by the SP. As the user is already logged in to the application dashboard, they have an existing session and so are bounced back to Auth0, authenticated, and then the SAML response is sent to the target application with the original RelayState in it.

It’s a roundabout solution, but it’s effective.