Auth0 not validating SAML 2.0 message signature

Hi,
We’re implementing a SAML 2.0 IdP from scratch and testing it with publicly-available Service Providers. Our Responses now pass validation with samltest.id and Salesforce, but we’re having trouble getting Auth0 to accept the message - it always fails with an error:
{
“error”: “access_denied”,
“error_description”: “Signature check errors: invalid signature: the signature value XF4lGaffQpp6OrPf8rV2lusA5i7EnqKdxi5rLr1uadYDEOhqD3el4LARdOJBIRXCr/Tyfn2y5aOJP291O59y1yY2uSGUUI1RhLzhVSjiKT9C6Aubx18rp3lgfjlSBCW0A+fUEmHQeRn+2A11KP3fDPHc+o9laQU7HweqLu+HVT3nR8YBmt7nqSf2BoHaQCFeNVSVKAzbdu/uziNkqiKMZqppj2WgQBukxIzk8nglGmLD7EyRF92ijPoP1d8PZ7ipOkHZrCV0FFLvk+NGUyUmYII2jW8wi5dVFTx7j5T8LTXGOamA5SA3TSnU4WUE+XLmTYy/eiEEgrGgC5HVNAiiVzvLnrVm8I8EntLdDE9zFKiewNSOAXOHCq7QDD9aMR/n/Zz0WguEvjZzyBMXyXcMsOKImERRnUtPcUiQlgD5j10HbO++j9b+Gsk0ktUKgrLtMkR8lY6avBv2UEn89KCWWwVt2zcm4BOUmUygAkPBZGfS9Bieke1u1DBn86mJkKxfRG6nt8aJCbAXykWjDXBqEuYb2/FlFf1IohCIXfx4gGqzyfjcN8Tq/xgTkfz0ObcDXBeRqVs57snxapXjXDz1VE9Ul4v7TNVrdX1KgOUSw7dN075tMSWnw5NGckGSbGWovL6HKh2wQVSv7hsTTc4SzEagMDwo6/ND5dbmx8WB2+w= is incorrect”
}

Here’s the complete message that we’re sending: SAML Request that fails signature verification with auth0 but validates with other tools · GitHub

All validators that we could find say that the signature is OK - samltool.io and Chillkat’s XML signature validator all give us green results. Similarly-generated responses also work with test flows on samltest.id and Salesforce’s test SP. Obviously, we have uploaded the certificate PEM before testing.

We have tested with SHA-1 and SHA-256 (both digest and signature), but to no avail. Any idea what we’re doing wrong, or why auth0 is claiming the signature to be invalid?

Recently I encountered the same problem when trying to connect to OneLogin. Seeing your post, I asked Auth0’s technical support and they told me that:

  • It looks like Auth0 is calculating the wrong digest.
  • If everything goes as planned, the problem will be fixed around the middle of next month (January).

As a workaround, I will use OpenID Connect instead of SAML connection. I’m really grateful for your post.