• Auth0 Security Assertion Markup Language (SAML) Single Sign-On (SSO)

• Identity Provider (IdP)-initiated login

The issue occurs when the Auth0 application is configured with a wildcard (*) as the first Allowed Callback URL. In IdP-initiated SAML flows, Auth0 always redirects the response to the first Allowed Callback URL. A wildcard cannot be resolved into a valid address, which causes the login flow to fail. Auth0 requires a specific, fully qualified URL for this first entry.

NOTE: Query string overrides, for example redirect_uri or response_type, are ignored when the response protocol is SAML.

Update the application's Allowed Callback URLs so the first entry is a specific, fully qualified URL rather than a wildcard.

1. In the Auth0 Dashboard, go to Applications > Applications.

2. Open the application set as the default client for the IdP-initiated connection.

3. Under Allowed Callback URLs, ensure the first entry is the fully qualified URL that the SAML response must use. Do not use wildcards (*).

4. Click Save changes.

5. It is also recommended to remove any query string parameters from the IdP-initiated settings, as they are not applied when the response protocol is SAML.