"Failed to read asymmetric key" when signing in through a new SAML connection

matt.macadam · March 4, 2022, 5:43pm

Question: Why am I seeing the error “Failed to read asymmetric key” when signing in through a new SAML connection? I have SAML connections with other IdPs configured identically and those work fine.

Answer:

There is a known bug in the auth0 product that allows you to upload a certificate in the “wrong” format. Certificates should be uploaded in the format described in this document:

options.signingCert format for SAML connections

(generally, the correct format should happen automatically if you upload a PEM formatted certificate through the dashboard. The above document applies specifically to uploading certificates through the management API directly)

In some circumstances it is possible to upload a certificate in the “wrong” format. When this happens, depending on the IdP behavior, the connection may or may not work.

Auth0 validates a SAML response as follows:

If the SAML response includes a public key, the thumbprint of the public key in the SAML response is compared to the thumbprint of the public key that was configured in the Auth0 SAML connection. If the thumbprint matches, the public key from the SAML response is used to verify the signature on the response. This avoids parsing the uploaded certificate so the incorrect format doesn’t raise errors.
If the SAML response does not include a public key, the public key that was configured in the SAML connection is used to verify the signature on the response. If the key was not uploaded in the correct format, parsing the certificate in this step step fails.

The Auth0 product is able to parse the thumbprint of a public key even if it is uploaded in the “wrong” format, so the security model is preserved, but this makes for some confusing behavior. This is how two seemingly identical connections will behave differently:

If the IdP includes the signing certificate in the SAML response, the connection will work with the “wrong” certificate format
If the IdP does not include the signing certificate in the SAML response, the connection will not work with the “wrong” certificate format.

Community Topic: options.signingCert format for SAML connections

Topic		Replies	Views
The Supported Formats for SAML Connection Signing Certificate are not Consistent Between Dashboard and Management API Knowledge Articles	1	1176	November 22, 2023
Error “invalid thumbprint” from SAML Login Knowledge Articles saml , sso , error , invalid , invalid-thumbprint	1	6962	September 22, 2022
Importing certificate for SAML connection setup is returning invalid certificate message (md5?) Help saml , samlp	2	5472	May 6, 2019
"Unable to verify signature" Error on SAML Connection Knowledge Articles saml2 , idp	1	7866	October 5, 2023
Ping Federate Connection Not Working - Error "Failed to read asymmetric key" Knowledge Articles ping , federate-saml , asymmeric-key	1	3459	August 15, 2022

"Failed to read asymmetric key" when signing in through a new SAML connection

Question: Why am I seeing the error “Failed to read asymmetric key” when signing in through a new SAML connection? I have SAML connections with other IdPs configured identically and those work fine.

Answer:

Related Topics