I’m using Auth0 as a SAML service provider. My connections to the external IDPs work when SAML assertions are not encrypted. When I turn on encryption on the external IDP and upload the certificate obtained from https://my_auth0_domain/cer?cert=my-connection I’am getting the following error:
I tried with uploading different encryption certificate file formats, but that didn’t help.
I didn’t set any custom decryptionKey, I am using the one provided by Auth0 by default.
Solution:
Don’t upload to IDP encryption certificate obtained from https://my_auth0_domain/cer?cert=my-connection
Use https://my_auth0_domain/samlp/metadata?connection=my-connection to fetch the Auth0 SP metadata. Then extract encryption certificate from downloaded metadata XML and manually create .cer or .pem file for uploading on the IDP side.
A quick follow-up on this thread: if you request the certificate from https://{your_auth0_domain}/pem?cert=connection, you will obtain the same signing/encryption certificate that you would obtain from the SAML connection metadata(*). It’s important that the query string has cert=connection, with the parameter value being the literal connection string value, not the connection name. I.e., don’t replace connection.