Problem statement
Do the following URLs to reference the same default certificate for the Auth0 tenant:
- https://TENANT_DOMAIN/pem?connection=CONNECTION_NAME
- https://TENANT_DOMAIN/samlp/metadata?connection=CONNECTION_NAME
Solution
The certificates obtained using '/pem ’ and '/pem?cert=connection ’ endpoints are different. The '/pem ’ endpoint returns the tenant signing key , whereas the '/pem?cert=connection ’ endpoint returns the connection signing key , which is used to sign the connection (eg, SAML requests) when Auth0 issues the request as an SP.
Please note, there are some old tenants created approximately ~5 years ago - before 2018 might give the same result for both the endpoints, but they should be treated as separate endpoints/certs, as explained above.
The certificates used by connections (e.g., SAML requests) can be downloaded from:
https://TENANT_DOMAIN/pem?cert=connection
Note that cert=connection is a fixed phrase. You should not replace 'connection ’ with the connection name.
Also, the connection metadata endpoint will have this certificate. It’s at:
https://TENANT_DOMAIN/samlp/metadata?connection=CONNECTION_NAME
In the '/samlp/metadata ’ endpoint, the connection name must be passed. It is not a fixed phrase in this case.
The certificate used by Applications/APIs (e.g., ID tokens, SAML responses) and the current signing cert (when Auth0 is the IdP) can be downloaded in three ways:
- https://TENANT_DOMAIN/pem endpoint.
- Go to Auth0 dashboard → Applications → click on an app → Show Advanced Settings → Certificates → Download Certificate.
- The certificate is also included in the SAML metadata file, which has the URL format: https://TENANT_DOMAIN/samlp/metadata/CLIENT_ID
When the '/pem’ endpoint with any parameter other than 'cert=connection ’ is called, it will ignore the query parameters and always respond with the result of the '/pem’ endpoint. See the example below:
https://TENANT_DOMAIN/pem?connection=connection_name
In the above case, the 'connection=connection_name ’ is ignored as the endpoint expects it to be '/pem ’ or '/pem?cert=connection '.