Hi @hiromichi.kishi , welcome to the community!
If I’m understanding your setup, Auth0 is acting as a SAML Identity Provider and you have 3rd party services acting as Service Providers and trying to authenticate users against your tenant?
If so, it could be a mismatch between what Auth0 is sending as it’s certificate, and what the 3rd party has stored. Ideally, the 3rd party can use your application acting as the IdP’s SAML Metadata URL to ensure it has the most up to date certificate for your tenant, but if they have hardcoded a certificate and the tenant’s cert has changed, it could lead to issues and the 3rd party needs to upload the new cert.
I’m afraid there isn’t a way to check the Assertion from the Auth0 side directly, you’d need to capture a login attempt in a HAR file by one of the users to inspect the SAML Assertion in full.
You could compare this to flow for a user that is working to see if there is any difference in the Assertion’s certificates being presented. If there is none, then it is most likely the issue I mentioned above.
You can also provide your own certificates to be used to sign responses instead of the default Auth0 pair, should that be needed by your 3rd parties: