Invalid Thumbprint Error from SAML Logins``

Knowledge Solutions
, , , , ,
1

Problem Statement

Auth0 is configured as a Service Provider (SP) in a SAML login arrangement.

Logins to the Identity Provider (IdP) fail for every user on a SAML connection and the log event description shows the error:

“invalid thumbprint”

Symptoms

  1. User logs in successfully to upstream IdP and SAML assertion comes back from IdP.
  2. Login fails with the error “Invalid thumbprint.”

Steps to Reproduce

  • Login with custom SAML SSO

Troubleshooting

  • Check the connection’s configured certificate and compare with IdP’s certificate sent in SAML response - either from HAR file or tenant logs if debug mode is enabled. One of the certificates may be expired, or one of the parties involved may have rolled over their certificate ahead of the other
  • Search the tenant logs using the query: "description:*thumbprint*" for instances of this type of failed login event

Cause

The SAML x.509 certificate that has been uploaded on the Auth0 side for the SAML connection does not match the one in use by the Identity Provider.

Solution

The X.509 public key certificate installed in the SP must match the certificate that is configured in the IdP.

  1. If necessary, request the public key certificate from the IdP. For further information, refer to Get metadata and certificate from the IdP. The certificate must be in either .pem or .cer format
  2. Install the public key certificate into the SP connection using either the dashboard or the Management API. These methods are described in the sections that follow.

NOTE: Auth0 supports use of a single certificate for a SAML connection. Multiple certificates are not supported.

Use the dashboard

  1. Login to the dashboard as a tenant member ( administrator ).
  2. Navigate Authentication > Enterprise > [select-SAML-connection].
  3. Locate the X.509 Signing Certificate option.
  4. Delete the existing file.
  5. Click Save Changes ( bottom of page ).
  6. Scroll to X.509 Signing Certificate option.
  7. Click “+ Choose File”: click to upload the public key file ( .pem or .cer ) received from the IdP.
  8. Click Save Changes ( bottom of page ).
    image
    image2448×934 147 KB

Use the Management API

STEP 1
First get an Access Token for use with the Management API explorer.

  1. Login to the dashboard as a tenant member ( administrator ).
  2. Navigate APIs > Management API.
  3. From the menu click API Explorer .
  4. Follow the instructions to get an access token and install it into the Management API Explorer.

STEP 2

  1. Follow stages 1 and 2 from “Use the Dashboard” above to view the connection_ID of the SAML connection.
  2. Make a call to the Get-a-Connection endpoint of the Management API. ( GET /api/v2/connections/{id} ) to retrieve the configured settings values

NOTE: It is important to note that when updating a connection with the Management API:

  1. first, call the endpoint with a GET to obtain the entire “options” object from the connection.
  2. second, send the full *“*options” object in the PATCH request, not just the configuration items that need to change.

Failure to follow this guidance will result in all of the connection’s configuration settings lost.

  1. Make a call to the Update-a-Connection endpoint of the Management API ( PATCH /api/v2/connections/{id}): the Body part is almost identical to that which was retrieved in the previous (2) step. However, the “signingCert” property needs to be updated with the content of the signing certificate that was supplied by the IdP.

Related References

2 Likes