IdP initiated session fails to verify about omniauth-auth0 HOT 2 CLOSED

This is the right behavior, actually. What the SDK is doing is expected for any OIDC/OAuth2 client: making sure that the response and its ID token match an authentication request initiated by the app from the same browser.

While Auth0 tries to make a direct SAML-to-OIDC protocol translation, the reality is that OIDC does not have the concept of IdP-initiated flows, and thus any good OIDC SDK that makes the proper validations will reject the response (this is briefly explained at https://auth0.com/docs/protocols/saml/idp-initiated-sso#on-idp-initiated-flows-and-openid-connect)

An alternative flow, if the SAML identity provider supports it, would be to link to your app's login endpoint directly (many idps now support this). The panel in the IdP would link to something like https://yourapp.com/login, where your app can initiate the authentication (and then the flow would work fine).

You can add a query string parameter in the request to your app's login endpoint (e.g. https://yourapp.com/login?connection=connection_name) so that the IdP can identity themselves. Your app, in turn, should use the connection parameter when redirecting to Auth0's authorize endpoint (e.g. https://login.molecule.io/authorize?[...]&connection=the_connection_name). By including the connection name in the authorization request Auth0 can send the user directly to the identity provider (without showing the Auth0 hosted login page) and thus the user will get a single sign on.

from omniauth-auth0.

Hey @nicosabena, I'am wondering if this same issue that I'am having is related to this issue. It's a bit strange so I'am wondering if this is the same.

We have a client who gets redirected to their IdP login page from our Auth0 hosted login page. After they log in, our application either says "Idp not enabled" when we have IdP disabled or "csrf detected" when we toggle IdP on.

Any information is appreciated on this :)!

from omniauth-auth0.