Receive encrypted SAML authentication assertions - Decode error

I’m using Auth0 as a SAML service provider. My connections to the external IDPs work when SAML assertions are not encrypted. When I turn on encryption on the external IDP and upload the certificate obtained from https://my_auth0_domain/cer?cert=my-connection I’am getting the following error:

error:04099079:rsa routines:RSA_padding_check_PKCS1_OAEP_mgf1:oaep decoding error

I tried with uploading different encryption certificate file formats, but that didn’t help.
I didn’t set any custom decryptionKey, I am using the one provided by Auth0 by default.

Solution:
Don’t upload to IDP encryption certificate obtained from https://my_auth0_domain/cer?cert=my-connection

Use https://my_auth0_domain/samlp/metadata?connection=my-connection to fetch the Auth0 SP metadata. Then extract encryption certificate from downloaded metadata XML and manually create .cer or .pem file for uploading on the IDP side.

1 Like

Thank you a lot for sharing it with the rest of community!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

A quick follow-up on this thread: if you request the certificate from https://{your_auth0_domain}/pem?cert=connection, you will obtain the same signing/encryption certificate that you would obtain from the SAML connection metadata(*). It’s important that the query string has cert=connection, with the parameter value being the literal connection string value, not the connection name. I.e., don’t replace connection.

(*) as long as the connection doesn’t have a custom key pair configured for either signing or encryption as described in Use a custom key to sign requests and Use your key pair to decrypt encrypted responses.