Request signing with Okta as IDP

I’ve created an enterprise SAML connection in Auth0, using Okta as the IDP. Authentication works fine. Now I want to set up request signing.

I’ve enabled Sign Request in Auth0. I can see Signature and SigAlg being sent along with the SAMLRequest.

In Okta, I uploaded my tenant’s signing cert (obtained from https://<MY_TENANT_DOMAIN>/pem).

But when signature validation is enabled, login transactions immediately fail with Unknown configuration or configuration not supported.

If I disable signature validation on Okta’s side, login works again. So obviously Okta doesn’t like something about my signed SAMLRequest.

I verified the signature using Validate SAML AuthN Request Online Tool | and it’s correct.

Has anyone successfully configured this?