Problem statement
We have a SAML connection called ‘my-saml-link’. Auth0 is configured as the Service Provider (SP) in this arrangement. We recently received an email from Auth0 with the subject - "Action Required for ‘my-saml-link’ connection: Signing certificate will expire in 29 days"
We are confused by this message, as the connection uses a custom SSL certificate with a validity - 2 years. We uploaded this certificate via Auth0 API. Can you please recheck the expiration date?
Cause
If you receive a message of this type, it may not be obvious as to which certificate it is referring to. This can be a source of considerable confusion.
When configuring Auth0 as a SAML service provider (SP), you would have had the option of using a custom key to sign requests that are sent from the SP towards the IdP:
To be absolutely clear about this point, the custom key is for signing SAML requests sent from Auth0 to the IdP.
You can check the validity of this key and view it contents using the command of this form:
openssl x509 -in <certificate.crt> -text -noout
- where <certificate.crt> is the name of the text file that contains the certificate
In this particular case, when the certificate was checked, it did indeed have a further 2 years until the date of expiry. So clearly, the message sent by Auth0 did not refer to this certificate.
There is another certificate that can trigger this type of warning message. This relates to the the signature on SAML responses sent to Auth0 from the IdP. In other words, the message is warning you that the IdP certificate will shortly expire.
The documentation explains how this is initially configured:
Solution
How you react this to type of message will depend on who ‘owns’ the IdP. If you own the IdP, then you just have to make sure that the certificate is renewed in time ( using whatever mechanism is appropriate for the IdP ). If you have a lot of SAML connections, you may want to keep a spreadsheet or automated reminder system to track when these are due to expire.
On the other hand, if a downstream customer owns the IdP, then not only do you need to track the expiry date of the certificate for each connection but you then have to contact the IdP owner and send out reminder emails until the cert is updated.
It is ultimately the responsibility of the customer to make sure that IdP certificates are renewed in a timely manner.