Encrypted SAML Response from Identity Provider Decoding Error

Overview

This article will describe two of the possible reasons for the error message when Auth0 is the SAML Service Provider (SP) and is receiving an encrypted SAML Response from an Identify Provider (IdP):

error:02000079:rsa routines::oaep decoding error

This error will be present in Auth0 Dashboard logs by searching for the log event type of ‘f’ which indicates a ‘failed login’. This article will also assume the IdP is using an Auth0 generated certificate to encrypt the SAML Response instead of a custom solution.

Applies To

  • SAML connection
  • Encryption
  • SAML assertion
  • SAML Response

Cause

This article will discuss two of the possible reasons for this issue:

  • This issue can occur if the certificate downloaded from the document Receive encrypted SAML authentication assertions was malformed at the time of it being uploaded by the IdP. Some indications of it being malformed would be that it includes incompatible formatting, such as the usage of Carriage Returns (CR) or Line Feeds (LF) in the certificate itself. For example, a certificate that has ‘\n’ or ‘\r’ characters to indicate line breaks in the certificate could return the error being discussed.
  • The certificate URL being used to download the certificate is malformed/incorrect. For example, the Auth0 link, which downloads the appropriate certificate for an IdP to encrypt the SAML response, takes this format (note that file formats other than .cer are available):
https://YOUR_AUTH0_DOMAIN/cer?cert=connection

If the above URL instead sets the ‘cert’ querystring parameter to the literal SAML connection this is in reference to, the error in question will be thrown. For example, an incorrect URL would look like so:

https://YOUR_AUTH0_DOMAIN/cer?cert=My-SAML-Connection

Solution

For issue 1 related to formatting, the certificate will need to be re-formatted to not include any of the invalid characters mentioned. This can often be solved simply by re-downloading the certificate.

For issue 2 related to URL formatting, this simply requires leveraging the mentioned correct URL to download the certificate and using that instead.

Please note that there may be other reasons for this error message to be thrown, however the above two reasons are common and should be checked if encountering this issue.