Problem Statement:
After rotating signing keys, SAML integrations were not working. Logins through SAML connections with Auth0 as the IdP will fail after signing key rotation even if the previous key has not been revoked.
Cause:
A tenant uses the same key pair for signing JWTs and SAML responses. Rotating the signing key will affect SAML integrations. Unfortunately, Auth0 doesn’t have automatic support for SAML signing key rotation. For SAML enterprise connections and SAML integrations with Auth0 as the IdP, the old certificate will no longer be valid, and a new one will need to be downloaded and sent to the external partner.
Solution:
- Coordinate a time with your partners to rotate the signing key
- Immediately after you rotate the signing key, download the new tenant certificate from:
https://tenant.{us/eu/au}.auth0.com/pem
- Provide the certificate to your partners. If your partner is a SAML SP, they will use the certificate to verify SAML responses from Auth0.