Problem statement
In a SAML connection arrangement, Auth0 is configured as the Identity Provider (IdP). The Service Provider (SP) is operated by a 3rd party. The SP operator decided to enforce AuthN signing, with the result that the the SAML Web App stopped working. Login attempts resulted in the error:
“SAML Response not signed”
Explain what changes need to be made to restore the SAML connection to a working state.
Symptoms
- The customer’s SAML addon suddenly stopped working after the SP made changes with new requirements:
- Enforce the requirement that AuthN requests be signed and enforce SHA-256 as the signing algorithm
- Certificates were updated
- Now specify the supported NameID formats
- The error received from the SP during login was:
“SAML Response not signed”
- The configuration of the SAML addon was updated to include:
- “signatureAlgorithm”: “rsa-sha256”
- “signResponse”: true.
- The SP then returned a further error:
“SAML assertion not signed”
Cause
In configurations where Auth0 is the Identity Provider (IdP ), signing of both the assertion and response is not currently supported.
Solution
In configurations where Auth0 is the Identity Provider (IdP ), signing of both the assertion and response is not currently supported. However, an item does exist in the feature backlog.
Customers who require the capability to sign both the assertion and response , where Auth0 is the IdP, are encouraged to submit a feature request via our Customer Feedback form.
Related References