Currently, when using Auth0 Organizations with unique SAML connections per customer, the IdP-initiated SSO flow requires dynamic query parameters (connection and organization) to be appended to the ACS URL.
However, we are blocked from joining the Microsoft Entra Application Gallery because it strictly requires a single, static ACS URL (e.g., https://{tenant}.auth0.com/login/callback). When we omit the dynamic parameters to comply with the Gallery’s requirements, Auth0 throws an invalid_request error because it cannot route the assertion to the correct connection.
We are requesting a mechanism to route IdP-initiated assertions to the correct connection/organization when multiple connections share a single static ACS endpoint. Potential solutions could include:
-
Allowing Auth0 to use
RelayStateto identify the target Organization/Connection. -
Mapping the SAML
IssuerorEntityIDdirectly to the target Organization without requiring URL parameters. -
Providing a supported architectural pattern or proxy configuration native to Auth0 that resolves this static entry requirement for Entra.
Use-case: We are building a multi-tenant SaaS application that leverages Auth0 Organizations, assigning separate, unique SAML connections for each of our enterprise customers.
This feature would allow us to publish our application in the Microsoft Entra Application Gallery. Joining the Gallery is a critical business requirement for us, as it drastically reduces friction for our enterprise customers during onboarding and provides them with a standardized, trusted setup experience. This would allow us to scale our enterprise Microsoft integrations seamlessly without compromising our Auth0 Organizations architecture.