When acting as a SAML SP, does Auth0 validate the IdP (issuer) entityid?

jbanning · April 4, 2017, 3:04am

We’re using Auth0 as a SAML SP with connections for each of the IdPs used by our customers. We have a potential customer with different IdPs for SP-initiated and IdP-initated SSO. The IdP’s have two different entityids but share a single signing cert which is valid for both IdPs. We need to use the same connection name for both.

If we configure one connection for one of the two entityids, will Auth0 accept a response from either because the certificate is valid for both issuers? Or does Auth0 need the entityID configured in the connection to match the issuer in addition to the signatures being valid?

Thanks to anyone who can help. I didn’t see anything like this when searching the forum; seems like an edge case.

jmangelo · April 4, 2017, 9:39pm

I believe that by default there is nothing enforcing that the issuer/entityid be an exact match, basically the trust decision is based on the signing certificate. You could then perform additional validations yourself and enforce other rules, but to my knowledge the different naming for entityid will not automatically fail the authentication as long as the signature matches.

Topic		Replies	Views
SAML metadata entityID issue - Auth0 as IDP Help saml	3	4709	December 27, 2018
How can I set custom entity ID (issuer) of Auth0 Identity Provider? Help sso , application	0	1682	March 28, 2023
Migrate existing sso saml connections to auth0 Help login-experience , new-universal-login-experience	4	681	January 24, 2024
Auth0 as IdP: Is it possible to sign both the response and assertion? Help connections , saml-enterprise-connection	2	813	October 26, 2023
URL for SAML Issuer Entity ID instead of URN for single Application Help saml , auth0	0	4055	August 12, 2019

When acting as a SAML SP, does Auth0 validate the IdP (issuer) entityid?

Related Topics