URN as entityId - Auth0 as Idp SAML

One of our customers wants to set up SAML using Auth0 as their IdP, so they come to us with settings provided by Auth0, and it fails our validation because their entityId is in the format of
urn:auth.tenant.com

Now, according to the specification, the value doesn’t seem to be a valid urn
https://tools.ietf.org/html/rfc8141#section-2

Am I missing something, or is there a way for them to modify their EntityId used to connect to our SP?

Hi @marko.milanovic,

Welcome and thank you for posting in Auth0 Community! :tada:

Can you please share what type of connection are you using? There are two kind of protocols, it looks like they are using the Ws-Federation protocol.

We have two connection types that can connect to ADFS:

  • “ADFS” connections (which should really be called “WS-Federation” connection, as that’s the protocol used)
  • SAML connections

They both work because ADFS supports both the WS-Federation and the SAML protocols.

For each connection protocol we have different metadata URLs and entity ID used.

  • SAML:

    • The format of the entity id is “urn:auth0::<connection_name>”
    • The metadata is obtained at https://{your_auth0_domain}/samlp/metadata?connection=<connection_name>
    • Instructions for ADFS set up are here: Configure ADFS as SAML Identity Provider
  • WS-Federation:

    • The format of the entity id is “urn:auth0:” (the connection name does not appear in there)
    • The metadata is obtained at https://{your_auth0_domain}/FederationMetadata/2007-06/FederationMetadata.xml
    • Instructions for ADFS set up are here: Connect Your App to ADFS

Can you please ask your customer to send us the metadata file? You can send me the file in a PM. Thank you!

I’m dealing with the same problem. We’re connecting to a partner using the generic SAML connection type. The partner is, correctly IMO, marveling at the format of the entityID which looks something like:

entityID="urn:auth0:[TENANT]:[CONNECTION NAME]"

when it seems like the usual way to do this is to use a URL:

entityID="https://[TENANT].auth0.com/

I suspect the SAML 2 spec allows for the colon separated URI but maybe the common practice is to use a URL?

In our case the partner is able to set the entityID to whatever string we are using so we have it working, but it would be useful to known the industry best practice or to be able to set whatever entityID we want.

1 Like

This may be the source of the confusion. From the SAML 2 spec:

That suggest the use of a URL for an entityID, but Auth0 uses a URN-style string instead.

As the SAML 2 spec does mark the URL as recommended, is there anything in the roadmap to support URL as default (or make it a configuration option instead of an API call)?

Hi @chrisg,

Welcome to the Community. Best bet is to submit a feature request here: Auth0: Secure access for everyone. But not just anyone.

1 Like

I think this is a bug in Auth0. As the original author points out Auth0’s entityID, when using Auth0 as a SAML 2.0 IdP, is invalid according to the spec. It looks like a URN but it doesn’t validate as a URN (Uniform Resource Name - Wikipedia) as it is missing a namespace identifier. Auth0’s entityID is also not an absolute URL. While configuring the entityID would be nice I think this is a bug that should be fixed.

Or are we interpreting the SAML spec differently?