ZITADELZZITADEL
Powered by
GaiaG
ZITADEL•8mo ago
Gaia

SAML response is not accepted by Zitadel?

I have configured an EntraID SAML organization in zitadel. I have set up an action on external post authenticate. When I print the following values 

let logger = require("zitadel/log");

function mapEntraAuth(ctx, api) {
  logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);

  try {
    logger.log("mapEntraAuth.authError", ctx.v1.authError);
    logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
  } catch (err) {
    logger.log(err);
  }
let logger = require("zitadel/log");

function mapEntraAuth(ctx, api) {
  logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);

  try {
    logger.log("mapEntraAuth.authError", ctx.v1.authError);
    logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
  } catch (err) {
    logger.log(err);
  }


I get the following error

mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)
mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)


However, based on the content of the httpRequest, it seems the SAML authentication is successful? the request is

mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...
mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...


and if I decode that SAMLResponse I get

<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
...
<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
  <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
    <Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
...


What I'm doing wrong in this case?
ZITADEL banner
ZITADELJoin
ZITADEL - Identity infrastructure, simplified for you.
4,374Members
Resources
Recent Announcements

Similar Threads

Was this page helpful?

Similar Threads

Entra SAML connect existing Zitadel accounts
SebastianBSSebastianB / questions-help-bugs
12mo ago
SAML Unable to verify Zitadel cert
DohvakenDDohvaken / questions-help-bugs
13mo ago