This article explains the cause of the following error, which occurs after attempting a Service Provider Initiated (SP-Initiated) login to a SAML connection configured in a tenant.

IdP-Initiated login is not enabled for connection \"CONNECTION_NAME\

• SAML Connections
• Service Provider (SP)
• Identity Provider (IdP)

Domain Mismatch

The application is redirecting the user to the Auth0 tenant's Canonical Domain:
 

However, the SAML connection is configured to send the SAML Response back to the Custom Domain configured within the tenant. For further information, refer to Configure Features to use with Custom Domains.

A standard SAML SP-initiated request requires that the login begin and end on the same domain. When the login begins with the Canonical Domain but completes with a redirect to the Custom Domain, the SAML Response is no longer associated with the initial SAML Request made from the Canonical Domain.

Due to this lack of context, the SAML Response is considered (Identity Provider) IdP-initiated. Given that SAML connections are not configured by default to support this type of login flow, the resulting error is thrown:

IdP-Initiated login is not enabled for connection \"CONNECTION_NAME\

Missing or Invalid RelayState

The Auth0 server (as an SP) sends the RelayState parameter when requesting that an IdP initiate the login flow and expects the IdP to return the same RelayState to the /login/callback endpoint upon authentication completion.

 If the RelayState is missing in the request from the IdP, or if the IdP sends an invalid RelayState that does not match the initial value, the Auth0 server cannot recognize the transaction as SP-Initiated.

Update either the application or the SAML IdP settings to:

1. Use the Custom or Canonical Domain.
2. Return the valid RelayState.

This will vary according to the application and the IdP configuration.

Related References

• Error: IdP-Initiated login not enabled
• Custom Domains