Certificates Used in SAML

Problem statement

Do the following URLs to reference the same default certificate for the Auth0 tenant:

Solution

The certificates obtained using '/pem ’ and '/pem?cert=connection ’ endpoints are different. The '/pem ’ endpoint returns the tenant signing key , whereas the '/pem?cert=connection ’ endpoint returns the connection signing key , which is used to sign the connection (eg, SAML requests) when Auth0 issues the request as an SP.
Please note, there are some old tenants created approximately ~5 years ago - before 2018 might give the same result for both the endpoints, but they should be treated as separate endpoints/certs, as explained above.

The certificates used by connections (e.g., SAML requests) can be downloaded from:

https://TENANT_DOMAIN/pem?cert=connection

Note that cert=connection is a fixed phrase. You should not replace 'connection ’ with the connection name.
Also, the connection metadata endpoint will have this certificate. It’s at:

https://TENANT_DOMAIN/samlp/metadata?connection=CONNECTION_NAME

In the '/samlp/metadata ’ endpoint, the connection name must be passed. It is not a fixed phrase in this case.

The certificate used by Applications/APIs (e.g., ID tokens, SAML responses) and the current signing cert (when Auth0 is the IdP) can be downloaded in three ways:

  1. https://TENANT_DOMAIN/pem endpoint.
  2. Go to Auth0 dashboard → Applications → click on an app → Show Advanced Settings → Certificates → Download Certificate.
  3. The certificate is also included in the SAML metadata file, which has the URL format: https://TENANT_DOMAIN/samlp/metadata/CLIENT_ID

When the '/pem endpoint with any parameter other than 'cert=connection ’ is called, it will ignore the query parameters and always respond with the result of the '/pem endpoint. See the example below:

https://TENANT_DOMAIN/pem?connection=connection_name

In the above case, the 'connection=connection_name ’ is ignored as the endpoint expects it to be '/pem ’ or '/pem?cert=connection '.