Gaia
Gaia2mo ago

SAML response is not accepted by Zitadel?

I have configured an EntraID SAML organization in zitadel. I have set up an action on external post authenticate. When I print the following values 
let logger = require("zitadel/log");

function mapEntraAuth(ctx, api) {
  logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);

  try {
    logger.log("mapEntraAuth.authError", ctx.v1.authError);
    logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
  } catch (err) {
    logger.log(err);
  }
let logger = require("zitadel/log");

function mapEntraAuth(ctx, api) {
  logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);

  try {
    logger.log("mapEntraAuth.authError", ctx.v1.authError);
    logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
  } catch (err) {
    logger.log(err);
  }
I get the following error 
mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)
mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)
However, based on the content of the httpRequest, it seems the SAML authentication is successful? the request is 
mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...
mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...
and if I decode that SAMLResponse I get 
<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
...
<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
...
What I'm doing wrong in this case?
0 Replies
No replies yetBe the first to reply to this messageJoin

Did you find this page helpful?