SAML response is not accepted by Zitadel?
I have configured an EntraID SAML organization in zitadel. I have set up an action on external post authenticate. When I print the following values
I get the following error
However, based on the content of the httpRequest, it seems the SAML authentication is successful? the request is
and if I decode that SAMLResponse I get
What I'm doing wrong in this case?
let logger = require("zitadel/log");
function mapEntraAuth(ctx, api) {
logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);
try {
logger.log("mapEntraAuth.authError", ctx.v1.authError);
logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
} catch (err) {
logger.log(err);
}let logger = require("zitadel/log");
function mapEntraAuth(ctx, api) {
logger.log("Populate extra information for new Entra user", ctx.v1.externalUser.externalIdpId);
try {
logger.log("mapEntraAuth.authError", ctx.v1.authError);
logger.log("mapEntraAuth.httpRequest", JSON.stringify(ctx.v1.httpRequest));
} catch (err) {
logger.log(err);
}I get the following error
mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)mapEntraAuth.authError ID=SAML-nuo0vphhh9 Message=Errors.Intent.ResponseInvalid Parent=(Authentication failed)However, based on the content of the httpRequest, it seems the SAML authentication is successful? the request is
mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...mapEntraAuth.httpRequest {\"method\":\"POST\",\"url\":\"/login/externalidp/callback?Method=POST\\u0026RelayState=329271347561003316\\u0026SAMLResponse=PHNhbWxwOlJlc3BvbnNlIElEPSJfOXYZwZTZlMzEtMTM1Ny00M2...and if I decode that SAMLResponse I get
<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
...<samlp:Response ID="_8d0e6e31-1357-4ed0-be30-19646kf95ff0" Version="2.0" IssueInstant="2025-07-17T13:00:45.393Z" Destination="https://id.attention.tech/ui/login/login/externalidp/saml/acs" InResponseTo="id-6466a7c977b1e183b94d7b44796818d144373c79" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/55196938-f6a0-4c23-2019-394dk48s90d4/</Issuer>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<Assertion ID="_9f748bf5-dedk-422c-8204-8ad3lsi71d00" IssueInstant="2025-07-17T13:00:45.390Z" Version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>https://sts.windows.net/55493828-f6a0-4c69-8425-394e2l49fd4/</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
...What I'm doing wrong in this case?
