What is "Unverified Domain" in the Context of SAML IdP-Initiated Flow


In the document of the SAML IdP-initiated flow there is a description of the “unverified domain” as below:

  • In an IdP initiated flow, Auth0 servers strip scopes inside a token if the callback URL is an unverified domain. If you use an unverified domain for testing, like localhost, as your callback URL, tokens from the /userinfo endpoint return an empty response. To get a token response with requested scopes, use a verified domain.

It gives localhost as an example of an “unverified domain". This article explains what is the definition of an unverified domain in this context.

Applies To

  • SAML IdP-initiated flow


While it can have different meanings in other contexts, in this case, “unverified domain” simply refers to localhost and