Problem statement
A tenant has been configured to support a SAML connection. However, the login attempts fail.
The Identity Provider (IdP) expects that SAML Requests will be signed using the SHA-2 hash algorithm. This article explains how Signature Algorithm and DigestMethod Algorithm can be configured for use with SHA-2.
Symptoms
Login failure due to incompatibility of both the Signature Algorithm and DigestMethod Algorithm at SP and IdP ends of the SAML transaction.
Troubleshooting
Capture the failed login flow in a HAR file for analysis. For further information, refer to Generate and Analyze HAR Files.
Cause
The IdP expects that both the Signature Algorithm and DigestMethod Algorithm will be signed with the SHA-2 hash algorithm. However, the Auth0 Service Provider (SP) connection has been configured to support a different value.
Solution
The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits.
For SAML signatures, Auth0 supports SHA-256.
Follow the steps below to switch from SHA-1 to SHA256.
- Login to the dashboard as a tenant member ( Administrator ).
- Navigate Authentication > Enterprise > [select-SAML-connection].
- Scroll down to Sign Request Algorithm: select RSA-SHA256 from the Dropdown Menu.
- Scroll down to Sign Request Algorithm Digest: select SHA256 from the Dropdown Menu.
- Scroll down to the bottom of the screen: Click Save Changes.