Problem statement
We downloaded the signing certificate from tenant settings > signing keys. The Issued to and Issued by shows our Auth0 domain name (not even the custom domain).
In the SAML addon- x509 certificate has the same issue. Could you please let us know why the issuer and issuee are the same? Why is there no trusted CA for the signing certificates?
Solution
The tenant and SAML certificate by default are self signed. The main reason this is the case is because it is generally considered to be for internal use, or more specifically between 2 applications/endpoints that are under control of the same team/organisation.
The SAML certificate falls under this classification as both the SAML Identity Provider (IdP) and the Service Provider (SP) are considered under control of the same organisation.
The tenant certificate is not used for DNS resolution as the Auth0 certificate is used (which does have a trusted CA of CloudFlare).
If changing the SAML certificate is desired, for example to a CA-signed cert then you may use the management API to update your SAML connection with your own public/private key pair which is CA signed.
The steps to update the connection is documented on the following link: