SAML Assertion signature is invalid

hiromichi.kishi · August 19, 2021, 8:11am

We are using Auth0 as a SAML provider to integrate with the 3rd party service for sign-in.
We have been using it for a few months without any problems, but about 3 weeks ago, we started getting an error that the SAML Assertion signature of Auth0 is invalid and sign-in fails.

No changes have been made to the settings for both Auth0 and other services.
The majority of users are still able to use the service and only a small number of users are facing the problem.
Once a user fails to validate a signature, it continues to fail.
Users who have successfully signed in in the past are now facing this problem.

Is there any way to check if there is something wrong with the SAML Assertion signature on the Auth0 side?

sgo · August 24, 2021, 4:58pm

Hi @hiromichi.kishi , welcome to the community!

If I’m understanding your setup, Auth0 is acting as a SAML Identity Provider and you have 3rd party services acting as Service Providers and trying to authenticate users against your tenant?

If so, it could be a mismatch between what Auth0 is sending as it’s certificate, and what the 3rd party has stored. Ideally, the 3rd party can use your application acting as the IdP’s SAML Metadata URL to ensure it has the most up to date certificate for your tenant, but if they have hardcoded a certificate and the tenant’s cert has changed, it could lead to issues and the 3rd party needs to upload the new cert.

I’m afraid there isn’t a way to check the Assertion from the Auth0 side directly, you’d need to capture a login attempt in a HAR file by one of the users to inspect the SAML Assertion in full.
You could compare this to flow for a user that is working to see if there is any difference in the Assertion’s certificates being presented. If there is none, then it is most likely the issue I mentioned above.

Troubleshoot SAML Configurations

You can also provide your own certificates to be used to sign responses instead of the default Auth0 pair, should that be needed by your 3rd parties:

Sign and Encrypt SAML Requests

hiromichi.kishi · August 30, 2021, 8:42am

HI @sgo, thank you for the reply!

Your understanding of my setup is correct.

If so, it could be a mismatch between what Auth0 is sending as it’s certificate, and what the 3rd party has stored.

I suspected it too and compared the latest Auth0 metadata with the 3rd party metadata and they are the same.

you’d need to capture a login attempt in a HAR file by one of the users to inspect the SAML Assertion in full.

I understood how to check the SAML assertion by your advice.

By comparing the successful and unsuccessful SAML assertions, I found the cause in my case.
The invalid signatures were occurring when the SAML:Attribute contained emoji. (e.g. )

It is not clear to me whether the problem is in the signature handling of either Auth0 or the 3rd Party service, but it seems that I can take workarounds such as removing emoji.

sgo · August 31, 2021, 9:53am

Thanks for sharing that @hiromichi.kishi , that’s the first time I’ve personally come across emoji in a SAML attribute

system · September 15, 2021, 9:54am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.