Problem Statement
An existing SAML connection stopped working for all SP-Initiated user login attempts. There were no recent configuration changes on the Auth0 connection settings or on the IdP configuration side.
In the tenant log, we saw error messages referring to issues associated with an invalid signature and issues related to validating the authentication request.
Troubleshooting
Please decode the response and verify if a Status
element is in the response. If it is, this indicates the error itself originates from the upstream IdP and not from Auth0. The signature validation error means that the problem is not with Auth0 verifying the SAML response but most likely related to the IdP trying to validate the signed SAML authentication request that Auth0 sent.
Having confirmed that the signature/certificate error originates from the IdP, next step is to find out which certificate/keys are used by the connection to sign outgoing authentication requests. Please check the connection configuration in Inspector and confirm if the connection has the options.signing_key
attribute set. This means the connection uses a custom certificate provided by a tenant Admin instead of the default tenant signing key for SAML connections.
Given the connection stopped working without any apparent changes, it’s likely that the IdP is already set up to use the public key corresponding to this custom certificate. Please grab the certificate with the public key from options.signing_key.cert
and parse this certificate to verify the validity period and confirm if the certificate may have expired around the same time the errors started.
Cause:
The custom certificate configured in the connection for authentication request signing expired, but the upstream IdP requires the certificate to be valid within its validity period.
Additionally private key and the descryption_key should be configured to use PKCS#8 format.
Solution
Please renew the certificate in question through the certification authority of your choice. And after obtaining a new certificate, please update the SAML connection with it, and provide the public key to the upstream IdP so that they also update their configuration to use the new certificate.