What is "Unverified Domain" in the Context of SAML IdP-Initiated Flow

gabriela.pantea · July 2, 2024, 8:19pm

Overview

In the document of the SAML IdP-initiated flow there is a description of the “unverified domain” as below:

In an IdP initiated flow, Auth0 servers strip scopes inside a token if the callback URL is an unverified domain. If you use an unverified domain for testing, like localhost, as your callback URL, tokens from the /userinfo endpoint return an empty response. To get a token response with requested scopes, use a verified domain.

It gives localhost as an example of an “unverified domain". This article explains what is the definition of an unverified domain in this context.

While it can have different meanings in other contexts, in this case, “unverified domain” simply refers to localhost and 127.0.0.1.

Topic		Replies	Views
IdP Initiated SAML Integration - Empty Response from /userinfo Knowledge Articles userinfo , saml2 , idp-initiated , empty , response	1	353	February 6, 2024
Flow for IDP Initiated SSO/SAML Help saml , idp-initiated	2	4597	December 24, 2018
IdP-Initiated SSO flow question Help saml , sso , idp-initiated	1	3806	March 11, 2020
Testing IDP Initiated SSO from local dev Help connections , oidc-enterprise-connection	4	594	January 31, 2024
IdP-Initiated SSO where IdP provides the redirect_url Help idp-initiated	2	3989	August 26, 2019