Details on "Invalid Thumbprint" error on SAMLp Enterprise Connection

We have a SAML enterprise connection setup for one of our clients, who just replaced their x509 signing certificate over the weekend. We are now getting

Invalid thumbprint (configured: xxx. calculated: yyy

, which I’ve read is to due to a mismatch of certificates (SAML SSO invalid thumbprint error).

I’m trying to communicate with my client’s security team about the issue, but there’s some confusion on the origins of this error message and where responsibility lies. In the error message above, is this coming from the IdP and does “configured” refer to the certificate configured on the IdP?

Also, any tips on how to trace this would be helpful. I’ve attached a SAML-tracer plugin to the session, but the only signing certificates I see in the SAML responses belong to our tenant on Auth0.

Many thanks,

  • Manesh

Hi @manesh.mistry,

For Invalid thumbprint errors, the configured value is for the certificate that you have uploaded to the Auth0 connection, and the calculated value is for the certificate that was in the SAML Response sent by the IdP to Auth0.

In general we recommend confirming that you have the correct certificate from the IdP uploaded to the connection. If you believe that is the case, would you be able to DM me the SAML trace so I can help troubleshoot further?

2 Likes

Hi @david_wisecarver,

Thank you for the insight. I have to work with the client to retrieve the SAML response data. Once I have that I’ll DM it to you.

One thing I’ve noticed is that the configured value doesn’t seem to reflect the certificate that I’m uploading. Is there anyway to retrieve the details of the configured x509 cert on the connection? The settings view doesn’t provide much detail on the cert in order for me to confirm what has been saved. When I examine the cert file locally I can see that the thumbprint matches the “Calculated” field, however.

I was able to resolve this issue after some investigation. It turns out that the issue was that x509 signing cert was not getting updated into the connection, because the posted metadata file from the IdP actually had 2 signing certificates with the first being the old, expired certificate and the second being the new one. As Auth0 doesnt support multiple signing certs, it was probably pulling the first one as part of some kind of validation when adding the new certificate. I eventually had to remove the link to the metadata file in order to get the update to actually persist.

This is not at all evident by just reviewing the dashboard and connection settings and I was only able to discover this by digging into the management API (get & update connection) and by referencing this post: Auth0 Connection Management Options - Full API Missing.

Essentially, I think there could be 3 potential improvements that would make maintenance of connection settings a little more manageable:

  1. On the Connection Settings dashboard, under “x509 Signing Certificate” it just shows the display name of the certificate. Additional fields such as the thumbprint or expiry would help users identify what is actually configured and if they need to take action
  2. When updating the x509 signing certificate, a simple validation to check whether the configured certificate is expired and display an error or warning message
  3. When metadata changes are pushed on the IdP, it would be helpful if Auth0 could detect this and automatically import the new certificate. It seems like most of this logic is already in place and probably just need to be added to some backend process to poll for updates, or in a simpler use case, just provide a button on the connection settings page to perform this check.
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.