Overview of Signing and Encryption Features for a SAML Service Provider

Problem statement

A SAML enterprise connection has been configured in the tenant. Auth0 is acting in the role as Service Provider (SP) and another entity has been configured to act as the Identity Provider (IdP).

Explain how the SP responds to signed and encrypted SAML payloads that are received from the IdP.


The following discussion is specific to the scenario in which Auth0 is the SAML Service Provider (SP). Auth0 then connects to a SAML Identity Provider (IdP) through a SAML connection.

Let us first distinguish between signing and encryption.

Signed Authentication Requests

SAML assertions for IdP connections are optionally signed in order to ensure the integrity of the transaction. Any deliberate or accidental alteration of the payload can be detected and flagged as an error.

Signing SAML Authentication Requests

By default, Auth0 uses the tenant private key to sign SAML requests. This process is activated when the Sign Request toggle is enabled for the selected SAML connection. The public key is then downloaded and supplied to the IdP in order for it to validate the signature.

Signing with a Custom Key-Pair

As an alternative to using the tenant private key, there is the option for customers to generate a public/private key pair either derived OpenSSL or sourced from a certificate that is purchased from a commercial Certificate Authority. For more information, refer to Using a Custom Key to Sign Requests

Check Integrity of Received Requests

If Auth0 is the SAML service provider , all SAML responses from the IdP should be signed to ensure that they have not been been tampered with by an unauthorized third-party. To implement this function, it is necessary to obtain a signing certificate from the IdP and then upload it into the SAML enterprise connection. For more information, refer to Receive Signed SAML Authentication Response

The Role of Encryption

Now that Signing of requests has been discussed, let us examine the role played by encryption. This provides another layer of security for SAML transactions. By using encryption, the confidentiality of information exchanges can be assured.

Receive encrypted assertions

In situations where Auth0 is the SP, the default method is to use the tenant’s private/public key pair to handle encryption.
To enable this function, it is necessary to provide the tenant’s public key certificate to the IdP. The IdP encrypts the SAML assertion using the public key and sends it to the Auth0 SP, which decrypts it using the tenant’s private key.
For more information, refer to Received Encrypted SAML Authentication Assertions.

Encryption using a Custom Key-pair

There may be situations where it is desirable to use a custom public/private key-pair, rather than the default tenant keys. This function can be implemented via a Management API call to the endpoint Update-a-Connection . For more information, refer to Use Your Key-Pair to Decrypt Encrypted Responses.

Related References