Troubleshoot SAML Errors
Invalid request - connection disabled
Cause
This message indicates that the application doesn't have an active connection associated.
Solution
Go to Authentication > Enterprise.
Click SAML.
Click on the connection you want to check.
Click the Applications tab.
Enable at least one application (if you don't see any in the list, you will need to create an application before proceeding).
IdP-Initiated Default App Not Configured
Cause
This error appears if you haven't provided the necessary information to support IdP-initiated login flows.
Solution
Go to Authentication > Enterprise.
Click SAML
Click on the connection you want to check.
Switch to the IdP-Initiated SSO tab.
Select Accept Requests and select the Default Application and the Response Protocol used by that application, and (optionally) specify any additional parameters you want to be passed to the application.
Click Save Changes.
Troubleshooting SP-initiated login
If you see this error when using a SP-initiated flow, one of the following is missing or empty:
The
RelayState
parameterThe
InResponseTo
attribute in the SAML response
If these are missing or empty, Auth0 treats the login as IdP-initiated. You can fix this error by checking your configuration to ensure that both fields are populated and returned appropriately.
Missing RelayState parameter
Cause
This error occurs when the identity provider doesn't return the RelayState
parameter along with its response.
Solution
Work with the identity provider to ensure that it returns the RelayState
parameter.
Audience is Invalid
This error occurs if the value of the audience
element from the identity provider's SAML response doesn't match the value expected by Auth0. Auth0 expects the value to be the Entity ID for the connection.
Solution
Go to Authentication > Enterprise.
Click SAML.
Click on the connection you want to check.
On the Setup tab, under the Common Settings section, your Entity ID is the second parameter provided. Make sure that the identity provider sends the correct
audience
value in the SAML response.
Incorrect protocol specified
There is an incorrect response protocol on the IdP-Initiated tab. The response protocol is the one used between Auth0 and the Application (not the remote identity provider). For example, if you set this value to SAML when your application expects OpenID Connect or WS-Fed results in errors due to the incorrect configuration.
Solution
Go to Authentication > Enterprise.
Click SAML.
Click on the connection you want to check.
On the Settings tab, check the value you have set in the Response Protocol field.
User isn't logged out from the IdP
When ADFS is configured as SAML IdP, if the ADFS is relaying party trust Name ID
attribute isn't mapped the logout flow fails. For example, with the federated parameter v2/logout?federated&...
user isn't redirected to the ADFS SAML logout endpoint but redirects back to application callback URL directly. As a consequence, the user isn't logged out from the IdP in that case.
Solution
Add the Name ID
attribute as a rule on the SAML Relaying Party Trust.