> ## Documentation Index
> Fetch the complete documentation index at: https://docs-staging-quickstart-revamp.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

> Describes how to troubleshoot common SAML related errors.

# Troubleshoot SAML Errors

## Invalid request - connection disabled

### Cause

This message indicates that the application doesn't have an active connection associated.

### Solution

1. Go to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise).
2. Click **SAML**.
3. Click on the connection you want to check.
4. Click the **Applications** tab.
5. Enable at least one application (if you don't see any in the list, you will need to [create an application](/docs/get-started/applications) before proceeding).

## IdP-Initiated Default App Not Configured

### Cause

This error appears if you haven't provided the necessary information to support <Tooltip tip="Identity Provider (IdP): Service that stores and manages digital identities." cta="View Glossary" href="/docs/glossary?term=IdP">IdP</Tooltip>-initiated login flows.

### Solution

1. Go to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise).
2. Click **SAML**
3. Click on the connection you want to check.
4. Switch to the **IdP-Initiated SSO** tab.
5. Select **Accept Requests** and select the **Default Application** and the **Response Protocol** used by that application, and (optionally) specify any additional parameters you want to be passed to the application.
6. Click **Save Changes**.

<Card title="Troubleshooting SP-initiated login">
  If you see this error when using a SP-initiated flow, one of the following is missing or empty:

  * The `RelayState` parameter
  * The `InResponseTo` attribute in the SAML response

  If these are missing or empty, Auth0 treats the login as IdP-initiated. You can fix this error by checking your configuration to ensure that both fields are populated and returned appropriately.
</Card>

## Missing RelayState parameter

### Cause

This error occurs when the identity provider doesn't return the `RelayState` parameter along with its response.

### Solution

Work with the identity provider to ensure that it returns the `RelayState` parameter.

## Audience is Invalid

This error occurs if the value of the `audience` element from the identity provider's <Tooltip tip="Security Assertion Markup Language (SAML): Standardized protocol allowing two parties to exchange authentication information without a password." cta="View Glossary" href="/docs/glossary?term=SAML">SAML</Tooltip> response doesn't match the value expected by Auth0. Auth0 expects the value to be the Entity ID for the connection.

### Solution

1. Go to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise).
2. Click **SAML**.
3. Click on the connection you want to check.
4. On the **Setup** tab, under the **Common Settings** section, your **Entity ID** is the second parameter provided. Make sure that the identity provider sends the correct `audience` value in the SAML response.

## Incorrect protocol specified

There is an incorrect response protocol on the **IdP-Initiated** tab. The response protocol is the one used between Auth0 and the Application (not the remote identity provider). For example, if you set this value to **SAML** when your application expects **<Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=OpenID">OpenID</Tooltip> Connect** or **<Tooltip tip="OpenID: Open standard for authentication that allows applications to verify users' identities without collecting and storing login information." cta="View Glossary" href="/docs/glossary?term=WS-Fed">WS-Fed</Tooltip>** results in errors due to the incorrect configuration.

### Solution

1. Go to [Authentication > Enterprise](https://manage.auth0.com/#/connections/enterprise).
2. Click **SAML**.
3. Click on the connection you want to check.
4. On the **Settings** tab, check the value you have set in the **Response Protocol** field.

## User isn't logged out from the IdP

When ADFS is configured as SAML IdP, if the ADFS is relaying party trust `Name ID` attribute isn't mapped the logout flow fails. For example, with the federated parameter `v2/logout?federated&...` user isn't redirected to the ADFS SAML logout endpoint but redirects back to application callback URL directly. As a consequence, the user isn't logged out from the IdP in that case.

### Solution

Add the `Name ID` attribute as a rule on the SAML Relaying Party Trust.
