Encrypted SAML Assertions


We are using Auth0 as a service provider and have SAML connections configured for our clients’ IdPs. One of our clients has configured their IdP to send encrypted assertions. We’re having some trouble with logins from this client, and I suspect it’s because the assertions they’re sending are in a different format from what we expect. Unfortunately I can only see the cypher text of the assertions, not the clear text, which makes troubleshooting difficult.

From what I read, if we use Auth0 managed certificates (which we do) we don’t have access to the private key, so I can’t decrypt the assertions outside of Auth0. I also don’t see the decrypted assertions logged anywhere, although maybe I just missed it. Other than asking the client to disable encrypting assertions (which, for ADFS at least, is enabled by default when the client uses the Auth0 metadata to setup the relying party) is there a way to see the assertions?


1 Like

Hi Alex. SAML connections have a “Debug” toggle that will output the received attributes in the tenant logs, but that will only work if the assertion is accepted (no errors), so that might not help you in this case.

What kind of errors you are getting? The first thing to check would be of course you having the right certificate from the ADFS server for signature validation, and that they have your tenant’s certificate for generating the encrypted assertion.

If you are willing to work on this a bit more, you can use your own key pair for encryption. Take a look here for the configuration: https://auth0.com/docs/protocols/saml/saml-configuration/special-configuration-scenarios/signing-and-encrypting-saml-requests#use-your-own-key-pair-to-decrypt-encrypted-responses

Good luck with the troubleshooting!

1 Like

Thanks, the debug option should give me what I need.

1 Like

Perfect! Glad you guys have sorted it out!

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.