Problem Statement:
When trying to set up a Ping Federate connection, we received the “Failed to read asymmetric key” error on SAML Response.
Symptoms:
Error “Failed to read asymmetric key” is returned.
Failed login errors with the following description: “error:1E08010C:DECODER routines::unsupported”.
Troubleshooting:
Ping Federate has some options regarding responses that can be toggled. It can impact Auth0 being able to read the certificate: https://docs.pivotal.io/p-identity/1-5/pingfederate/config-pingfederate.html
If possible, get a HAR file of the full SAML login flow to decode and check what SAML is actually being sent to Auth0.
Cause:
This can be caused by changing Ping Federate to not send the certificate in responses, so Auth0 rejects the signature.
If the certificate is included in the SAML response, the auth0 server will use the certificate from the response to check the signature, as long as that certificate thumbprint matches what was specified in the connection. If the certificate is not in the SAML response, the auth0 server will use the certificate from options.signingCert to validate the signature.
So, when you choose not to send the certificate in the element in the SAML response, authentication fails on the Auth0 side.
Solution:
Enabling the option to include the certificate in the element should resolve most instances of this error. If this fails, check the certificates uploaded and the ones sent by Ping Federate are the same.
HAR File would be useful to check if debug mode on the connection is not enabled.
If you are not able to include the certificate in the element in the SAML response, then you can also create a SAML connection to connect with Ping Federate instead of using the default Ping Federate connection: