Invalid Thumbprint Error from SAML Logins

Problem Statement

Logins started to fail for every user on a SAML connection and the log event description shows an “invalid thumbprint” error.

Symptoms

  • Auth0 as SP
  • User logs in successfully to upstream IdP and SAML assertion comes back from IdP
  • Login fails with error “Invalid thumbprint”

Cause

The SAML x.509 certificate that has been uploaded on the Auth0 side for the SAML connection does not match the one in use by the Identity Provider.

Solution

You should work with your identity provider to make sure the correct certificate is being used.

Note that Auth0 only supports a single certificate for a SAML connection.

Upload the current certificate the IdP is using via the Dashboard (delete existing, upload new cert) or the Management API. See:

https://auth0.com/docs/authenticate/identity-providers/enterprise-identity-providers/saml#get-the-signing-certificate-from-the-idp

2 Likes