URN as entityId - Auth0 as Idp SAML

marko.milanovic · May 12, 2020, 9:46am

One of our customers wants to set up SAML using Auth0 as their IdP, so they come to us with settings provided by Auth0, and it fails our validation because their entityId is in the format of
urn:auth.tenant.com

Now, according to the specification, the value doesn’t seem to be a valid urn
https://tools.ietf.org/html/rfc8141#section-2

Am I missing something, or is there a way for them to modify their EntityId used to connect to our SP?

lily.wisecarver · May 18, 2020, 11:44pm

Hi @marko.milanovic,

Welcome and thank you for posting in Auth0 Community!

Can you please share what type of connection are you using? There are two kind of protocols, it looks like they are using the Ws-Federation protocol.

We have two connection types that can connect to ADFS:

“ADFS” connections (which should really be called “WS-Federation” connection, as that’s the protocol used)
SAML connections

They both work because ADFS supports both the WS-Federation and the SAML protocols.

For each connection protocol we have different metadata URLs and entity ID used.

SAML:
- The format of the entity id is “urn:auth0::<connection_name>”
- The metadata is obtained at https://{your_auth0_domain}/samlp/metadata?connection=<connection_name>
- Instructions for ADFS set up are here: Configure ADFS as SAML Identity Provider
WS-Federation:
- The format of the entity id is “urn:auth0:” (the connection name does not appear in there)
- The metadata is obtained at https://{your_auth0_domain}/FederationMetadata/2007-06/FederationMetadata.xml
- Instructions for ADFS set up are here: Connect Your App to ADFS

Can you please ask your customer to send us the metadata file? You can send me the file in a PM. Thank you!

markd · June 11, 2020, 4:11pm

I’m dealing with the same problem. We’re connecting to a partner using the generic SAML connection type. The partner is, correctly IMO, marveling at the format of the entityID which looks something like:

entityID="urn:auth0:[TENANT]:[CONNECTION NAME]"

when it seems like the usual way to do this is to use a URL:

entityID="https://[TENANT].auth0.com/

I suspect the SAML 2 spec allows for the colon separated URI but maybe the common practice is to use a URL?

In our case the partner is able to set the entityID to whatever string we are using so we have it working, but it would be useful to known the industry best practice or to be able to set whatever entityID we want.

markd · June 12, 2020, 12:35am

This may be the source of the confusion. From the SAML 2 spec:

That suggest the use of a URL for an entityID, but Auth0 uses a URN-style string instead.

chrisg · September 28, 2020, 2:51pm

As the SAML 2 spec does mark the URL as recommended, is there anything in the roadmap to support URL as default (or make it a configuration option instead of an API call)?

markd · October 1, 2020, 12:34am

Hi @chrisg,

Welcome to the Community. Best bet is to submit a feature request here: Auth0: Secure access for everyone. But not just anyone.

Topic		Replies	Views
SAML metadata entityID issue - Auth0 as IDP Help saml	3	4719	December 27, 2018
URL for SAML Issuer Entity ID instead of URN for single Application Help saml , auth0	0	4061	August 12, 2019
Create an Entity ID for SAML Connection in the form of a URL Knowledge Articles saml2 , saml-enterprise-connections , entity-id	1	3098	December 13, 2023
SAML Send URL instead of Entity ID Help saml	4	5309	April 8, 2018
How can I add Auth0 as IdP into ADFS? Help saml , auth0 , adfs , samlp , saml2	5	5678	November 8, 2018

URN as entityId - Auth0 as Idp SAML

Related topics