Troubleshoot SAML Errors

Troubleshoot SAML Errors

Invalid request - connection disabled

Cause

This message indicates that the application doesn't have an active connection associated.

Solution

  1. Go to Authentication > Enterprise.

  2. Click SAML.

  3. Click on the connection you want to check.

  4. Click the Applications tab.

  5. Enable at least one application (if you don't see any in the list, you will need to create an application before proceeding).

IdP-Initiated Default App Not Configured

Cause

This error appears if you haven't provided the necessary information to support IdP-initiated login flows.

Solution

  1. Go to Authentication > Enterprise.

  2. Click SAML

  3. Click on the connection you want to check.

  4. Switch to the IdP-Initiated SSO tab.

  5. Select Accept Requests and select the Default Application and the Response Protocol used by that application, and (optionally) specify any additional parameters you want to be passed to the application.

  6. Click Save Changes.

Troubleshooting SP-initiated login

If you see this error when using a SP-initiated flow, one of the following is missing or empty:

  • The RelayState parameter

  • The InResponseTo attribute in the SAML response

If these are missing or empty, Auth0 treats the login as IdP-initiated. You can fix this error by checking your configuration to ensure that both fields are populated and returned appropriately.

Missing RelayState parameter

Cause

This error occurs when the identity provider doesn't return the RelayState parameter along with its response.

Solution

Work with the identity provider to ensure that it returns the RelayState parameter.

Audience is Invalid

This error occurs if the value of the audience element from the identity provider's SAML response doesn't match the value expected by Auth0. Auth0 expects the value to be the Entity ID for the connection.

Solution

  1. Go to Authentication > Enterprise.

  2. Click SAML.

  3. Click on the connection you want to check.

  4. On the Setup tab, under the Common Settings section, your Entity ID is the second parameter provided. Make sure that the identity provider sends the correct audience value in the SAML response.

Incorrect protocol specified

There is an incorrect response protocol on the IdP-Initiated tab. The response protocol is the one used between Auth0 and the Application (not the remote identity provider). For example, if you set this value to SAML when your application expects OpenID Connect or WS-Fed results in errors due to the incorrect configuration.

Solution

  1. Go to Authentication > Enterprise.

  2. Click SAML.

  3. Click on the connection you want to check.

  4. On the Settings tab, check the value you have set in the Response Protocol field.

User isn't logged out from the IdP

When ADFS is configured as SAML IdP, if the ADFS is relaying party trust Name ID attribute isn't mapped the logout flow fails. For example, with the federated parameter v2/logout?federated&... user isn't redirected to the ADFS SAML logout endpoint but redirects back to application callback URL directly. As a consequence, the user isn't logged out from the IdP in that case.

Solution

Add the Name ID attribute as a rule on the SAML Relaying Party Trust.