Ping Federate Connection Not Working - Error "Failed to read asymmetric key"

Last Updated: Sep 24, 2024

Overview

When trying to set up a Ping Federate connection, the following error is received on SAML Response:

Failed to read asymmetric key

The failed login error has the following description:

error:1E08010C:DECODER routines::unsupported

Applies To

  • Ping Federate connection

  • SAML

  • Failed Login

Cause

This can be caused by changing Ping Federate to not send the certificate in responses, so Auth0 rejects the signature.

If the certificate is included in the SAML response, the auth0 server will use the certificate from the response to check the signature as long as the certificate thumbprint matches what was specified in the connection. If the certificate is not in the SAML response, the auth0 server will use the certificate from options.signingCert to validate the signature.

So, when the customer chooses not to send the certificate in the element in the SAML response, authentication fails on the Auth0 side.

To troubleshoot the error:

  • Ping Federate has some options regarding responses that can be toggled, which can impact Auth0’s ability to read the certificate. Please check out this document for more details.
  • If possible, get a HAR file of the full SAML login flow to decode and check what SAML is actually being sent to Auth0.

Solution

Enabling the option to include the certificate in the element should resolve most instances of this error. If this fails, check the certificates they have uploaded and the ones Ping Federate is sending are the same (HAR File would be useful to check this if debug mode on connection is not enabled).

If unable to include the certificate in the element in the SAML response, then create a SAML connection to connect with Ping Federate instead of using the default Ping Federate connection. Please see Configure PingFederate as SAML Identity Provider for more details.