Error “invalid thumbprint” from SAML Login

Last Updated: Aug 13, 2024

Overview

Auth0 is configured as a Service Provider (SP) in a SAML login arrangement.

Logins to the Identity Provider (IdP) fail for every user on a SAML connection, and the log event description shows the error:

“invalid thumbprint”

Applies To

  • Auth0 as Service Provider (SP)
  • Custom SAML Login

Cause

The SAML x.509 certificate uploaded on the Auth0 side for the SAML connection does not match the one used by the Identity Provider.

To troubleshoot the issue:

  • Check the connection’s configured certificate and compare it with the IdP’s certificate sent in a SAML response - either from the HAR file or tenant logs if debug mode is enabled. One of the certificates may be expired, or one of the parties involved may have rolled over their certificate ahead of the other.
  • Search the tenant logs using the query: “description:thumbprint” for instances of this type of failed login event.

Solution

The X.509 public key certificate installed in the SP must match the certificate that is configured in the IdP.

  1. If necessary, request the public key certificate from the IdP. For further information, refer to Get metadata and certificate from the IdP. The certificate must be in either .pem or .cer format
  2. Install the public key certificate into the SP connection using either the dashboard or the Management API. These methods are described in the following sections.

NOTE: Auth0 supports the use of a single certificate for a SAML connection. Multiple certificates are not supported.

For more details, refer to the following video.

Use the dashboard

  1. Login to the dashboard as a tenant member (administrator).
  2. Navigate Authentication > Enterprise > [select-SAML-connection].
  3. Locate the X.509 Signing Certificate option.
  4. Delete the existing file.
  5. Click Save Changes (bottom of page).
  6. Scroll to X.509 Signing Certificate option.
  7. Click + Choose File > click to upload the public key file (.pem or .cer) received from the IdP.
  8. Click Save Changes (bottom of page).

Use the Management API

STEP 1
First, get an Access Token for use with the Management API explorer.

  1. Login to the dashboard as a tenant member ( administrator ).
  2. Navigate APIs > Management API.
  3. From the menu, click API Explorer .
  4. Follow the instructions to get an access token and install it into the Management API Explorer.

STEP 2

  1. Follow stages 1 and 2 from “Use the Dashboard” above to view the connection_ID of the SAML connection.

  2. Make a call to the Get-a-Connection endpoint of the Management API. ( GET /api/v2/connections/{id} ) to retrieve the configured settings values

    NOTE: It is important to note that when updating a connection with the Management API:

    1. first, call the endpoint with a GET to obtain the entire “options” object from the connection.
    2. second, send the full *“*options” object in the PATCH request, not just the configuration items that need to change.

    Failure to follow this guidance will result in all of the connection’s configuration settings lost.

  3. Make a call to the Update-a-Connection endpoint of the Management API ( PATCH /api/v2/connections/{id}): the Body part is almost identical to that which was retrieved in the previous (2) step. However, the “signingCert” property needs to be updated with the content of the signing certificate that was supplied by the IdP.

Related References

2 Likes