Try Button for an SSO Connection Leads to Redirect URI Errors

Overview

This article explains a possible cause of the following error when selecting the Try button to test a Single Sign-On (SSO) connection. The login process fails, and the following redirect Uniform Resource Identifier (URI) error message appears:

Invalid OAuth2 redirect_uri

Applies To

  • Single Sign-On (SSO)
  • Try connection

Cause

The Try button uses the tenant’s canonical domain (<tenant_name>.auth0.com) and the tenant’s built-in client ID, referred to as All Applications. This client ID is reserved for specific internal tests and fallback purposes only. The request generated by the Try button passes the connection parameter directly to the configured Identity Provider’s (IdP) login page.

If the Identity Provider (IdP) is set up to use the tenant’s custom domain for the callback URL, a mismatch error arises because the Try button function inherently uses the canonical domain, not the custom domain specified in the IdP configuration.

Solution

If the tenant uses a custom domain and the Single Sign-On (SSO) connection is also configured to use that custom domain for the callback Uniform Resource Locator (URL), follow these steps to test the connection manually:

  1. Right-click on the Try button associated with the SSO connection.
  2. From the context menu that appears, select Copy Link Address.
  3. Paste the copied URL into the address bar of a web browser.
  4. In the pasted URL, replace the tenant’s canonical domain portion (e.g., <tenant_name>.auth0.com) with the tenant’s configured custom domain name.
  5. Press Enter to navigate to the modified URL. This action initiates the test using the custom domain.