The SAML Request AssertionConsumerServiceURL is invalid

joshua-golub · July 14, 2020, 10:02pm

I am getting this error:

{
  "date": "2020-07-14T21:39:38.651Z",
  "type": "f",
  "description": "The SAML Request AssertionConsumerServiceURL is invalid: 'https://d1e17fe52369.ngrok.io/amazon/assert'",
  "connection_id": "",
  "ip": "71.176.222.191",
  "user_agent": "Chrome 83.0.4103 / Windows 10.0.0",
  "details": {
    "body": {},
    "qs": {
      "SAMLRequest": "jZJLT+MwFIX/SuR9nNh5tVYa1KGgVipQkTCL2Yzc+IZ6SOxiO+Xx6zHtIHUzaLZX5/i751yXF69DHxzAWKnVDBEco4uqnI9up+7heQTrAi9QdoZGo5jmVlqm+ACWuZbV85s1ozhme6OdbnWPTmJm+dB/7+DWgnGeiYKfX3A/R8FqMUO/J51IaCuyNt+mKe2A0iydtAURIid5l8VFlyciS1I68QZrR1gp67hy/o2YxmFchCRtKGHJlKUUT+PpLxQsfBapuDuids7tLYsiAYdQcqlf5DbDo8XcB49xq4foM8I+cktaK3uVwjr+8/q+e+BNMamX49Py6tnc0AVBwfwryKVWdhzA1GAOsoWH+/UZhgApOshokk+xejT6CUsd8YG/axWdqkDB5m+JP6QSUj1+39/2JLJs2TSbcHNXN6gqP3dmxz5M9V/oARwX3HHsz1ZG5/by1iNXi43uZfsWXGszcPfvjQgmx4kUYXeUslHZPbSykyB8R32vXy4NcAcz5MwIKKrK6PyTVR8="
    },
    "error": {
      "message": "The SAML Request AssertionConsumerServiceURL is invalid: 'https://d1e17fe52369.ngrok.io/amazon/assert'",
      "oauthError": "invalid_request",
      "type": "request-error"
    }
  },
  "hostname": "dev-iaiowib5.us.auth0.com",
  "log_id": "90020200714213943980000160508053563541153156205681573906",
  "_id": "90020200714213943980000160508053563541153156205681573906",
  "isMobile": false
}

The decoded SAML request looks like this:

<?xml version="1.0"?>
<AuthnRequest
	AssertionConsumerServiceURL="https://d1e17fe52369.ngrok.io/amazon/assert"
	Destination="https://dev-iaiowib5.us.auth0.com/samlp/tH2SnsE4eL0jxzhUaT78SHukHEqrM2D1" 
	ID="_bdf71d4b8f53c8a8fddd0a967df89e304bdea8db42" 
	IssueInstant="2020-07-14T21:21:24.303Z" 
	ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
	Version="2.0" 
	xmlns="urn:oasis:names:tc:SAML:2.0:protocol" 
	xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
	<saml:Issuer>https://d1e17fe52369.ngrok.io/amazon/metadata.xml</saml:Issuer>
	<NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"/>
</AuthnRequest>

My Allowed Callback URLs look like this:

So, what can be causing the error?

The SAML Request AssertionConsumerServiceURL is invalid: https://d1e17fe52369.ngrok.io/amazon/assert’

Thanks in advance for any help you can offer.

karen1 · July 15, 2020, 9:34pm

Good afternoon,

First, I would recommend redacting some of the information you provided here since it is a public forum.

Generally, this error indicates that you are missing the Callback URL the SAML response will be posted to or it was entered incorrectly.

This is in the first field when you open the SAML2 addon settings page. It is the step 11 in these instructions: Configure Auth0 as SAML Identity Provider

If you are still experiencing issues, can you check if you have turned on the SAML2 Web App addon in the particular client? Also, can you please capture an HTTP trace during the attempted login and dm this to me? Usually this helps us to identify the exact reason for the error. Instructions are at Generate and Analyze HAR Files