I was able to resolve this issue after some investigation. It turns out that the issue was that x509 signing cert was not getting updated into the connection, because the posted metadata file from the IdP actually had 2 signing certificates with the first being the old, expired certificate and the second being the new one. As Auth0 doesnt support multiple signing certs, it was probably pulling the first one as part of some kind of validation when adding the new certificate. I eventually had to remove the link to the metadata file in order to get the update to actually persist.
This is not at all evident by just reviewing the dashboard and connection settings and I was only able to discover this by digging into the management API (get & update connection) and by referencing this post: Auth0 Connection Management Options - Full API Missing.
Essentially, I think there could be 3 potential improvements that would make maintenance of connection settings a little more manageable:
- On the Connection Settings dashboard, under “x509 Signing Certificate” it just shows the display name of the certificate. Additional fields such as the thumbprint or expiry would help users identify what is actually configured and if they need to take action
- When updating the x509 signing certificate, a simple validation to check whether the configured certificate is expired and display an error or warning message
- When metadata changes are pushed on the IdP, it would be helpful if Auth0 could detect this and automatically import the new certificate. It seems like most of this logic is already in place and probably just need to be added to some backend process to poll for updates, or in a simpler use case, just provide a button on the connection settings page to perform this check.