SAML SignOut Request yielding Invalid Signature log

stachudotnet · August 2, 2021, 3:52pm

We’ve recently configured an Enterprise connection to a client’s Azure AD via SAML.

Sign-in is working great! We exchanged certificates and other metadata, and users are signing in without any issue.

Somehow, though, we’re consistently failing to support Single SignOut; every attempt results in an “invalid signature: the signature value [dynamic signature] is incorrect,” resulting in the user being signed out at their Identity Provider (AD) but not within Auth0 or our Relying Party application.

The logs don’t seem to provide much context as is; how can I go about diagnosing this issue?

Can I somehow capture the full SAML requests?
Are there settings to flip that I’m missing?

stachudotnet · August 2, 2021, 6:31pm

Resolved: Auth0’s exposed metadata notes the signout endpoint as [Auth0Domain]/logout, when it should be [Auth0Domain]/v2/logout.

Frustrating! but glad we finally got this resolved.

konrad.sopala · August 3, 2021, 8:51am

Perfect! Thanks for sharing with the rest of community!

system · August 18, 2021, 8:51am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.