We are using Auth0 as a SAML provider to integrate with the 3rd party service for sign-in.
We have been using it for a few months without any problems, but about 3 weeks ago, we started getting an error that the SAML Assertion signature of Auth0 is invalid and sign-in fails.
No changes have been made to the settings for both Auth0 and other services.
The majority of users are still able to use the service and only a small number of users are facing the problem.
Once a user fails to validate a signature, it continues to fail.
Users who have successfully signed in in the past are now facing this problem.
Is there any way to check if there is something wrong with the SAML Assertion signature on the Auth0 side?
If I’m understanding your setup, Auth0 is acting as a SAML Identity Provider and you have 3rd party services acting as Service Providers and trying to authenticate users against your tenant?
If so, it could be a mismatch between what Auth0 is sending as it’s certificate, and what the 3rd party has stored. Ideally, the 3rd party can use your application acting as the IdP’s SAML Metadata URL to ensure it has the most up to date certificate for your tenant, but if they have hardcoded a certificate and the tenant’s cert has changed, it could lead to issues and the 3rd party needs to upload the new cert.
I’m afraid there isn’t a way to check the Assertion from the Auth0 side directly, you’d need to capture a login attempt in a HAR file by one of the users to inspect the SAML Assertion in full.
You could compare this to flow for a user that is working to see if there is any difference in the Assertion’s certificates being presented. If there is none, then it is most likely the issue I mentioned above.
If so, it could be a mismatch between what Auth0 is sending as it’s certificate, and what the 3rd party has stored.
I suspected it too and compared the latest Auth0 metadata with the 3rd party metadata and they are the same.
you’d need to capture a login attempt in a HAR file by one of the users to inspect the SAML Assertion in full.
I understood how to check the SAML assertion by your advice.
By comparing the successful and unsuccessful SAML assertions, I found the cause in my case. The invalid signatures were occurring when the SAML:Attribute contained emoji. (e.g. )
It is not clear to me whether the problem is in the signature handling of either Auth0 or the 3rd Party service, but it seems that I can take workarounds such as removing emoji.