Auth0 Home Blog Docs

When acting as a SAML SP, does Auth0 validate the IdP (issuer) entityid?



We’re using Auth0 as a SAML SP with connections for each of the IdPs used by our customers. We have a potential customer with different IdPs for SP-initiated and IdP-initated SSO. The IdP’s have two different entityids but share a single signing cert which is valid for both IdPs. We need to use the same connection name for both.

If we configure one connection for one of the two entityids, will Auth0 accept a response from either because the certificate is valid for both issuers? Or does Auth0 need the entityID configured in the connection to match the issuer in addition to the signatures being valid?

Thanks to anyone who can help. I didn’t see anything like this when searching the forum; seems like an edge case.


I believe that by default there is nothing enforcing that the issuer/entityid be an exact match, basically the trust decision is based on the signing certificate. You could then perform additional validations yourself and enforce other rules, but to my knowledge the different naming for entityid will not automatically fail the authentication as long as the signature matches.