Overview
Scroll Viewport works when set up with an Auth0 canonical domain, but when it is switched to a custom domain, it returns the error:
Assertion must be explicitly signed
Applies To
- Scroll Viewport
- Error
- Custom Domain
Cause
Scroll Viewport requires both the assertion and response from the IdP to be signed, but they make exceptions for Auth0 and Google, in which case only the response needs to be signed.
The most likely cause of this error is that when the response is signed but the assertion is not, Scroll Viewport checks the domain used to see if the IdP is Auth0 or Google. If not, it throws an error as it only allows the assertion not to be signed for Auth0 and Google. All other IdPs must have both the assertion and response signed.
When using a custom domain, it cannot recognize that it is part of Auth0 and, therefore, gives the error that the assertion must be signed.
Solution
Since it is not possible to sign both the assertion and response with Auth0, the only solution for the time being would be to use the canonical domain until Scroll Viewport addresses this on their side.