Error:04099079 When Using Auth0 as SP and Keycloak as IDP

Problem statement

Guidance is required on how to set up Auth0 as the Service Provider (SP) and Keycloak as the Identity Provider (IdP). The current configuration results in an error during login:

error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error

Symptoms

  • Using Keycloak as IdP
  • Auth0 as SP via SAML
  • Faulty configuration results in the error:
    error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error

Cause

Keycloak does not allow the signing cert to be added manually.

Solution

Keycloak does not support the facility to create a client and then manually add the signing certificate. It is necessary to create the client with the SP metadata file. This metadata can be discovered using the following endpoint:

https://{/)yourDomain}/samlp/metadata?connection={yourConnectionName}

where yourConnectionName is the name of the SAML connection.

For more information, refer to SAML Identity Provider Configuration Settings.

Related References