Problem statement
When creating a SAML connection with Shibboleth as the IdP, a prompt is received to provide the certificate that is being used to sign the requests. In the log file, the following error is generated.
<em>2023-05-12 11:13:25,543 - ERROR [org.opensaml.security.x509.impl.BasicX509CredentialNameEvaluator:297] - Credential failed name check: [subjectName='CN={tenant_name}.[us.auth0.com](http://us.auth0.com/)']
2023-05-12 11:13:25,544 - WARN [net.shibboleth.idp.profile.impl.WebFlowMessageHandlerAdaptor:197] - Profile Action WebFlowMessageHandlerAdaptor: Exception handling message
org.opensaml.messaging.handler.MessageHandlerException: Validation of protocol message signature failed
at org.opensaml.saml.common.binding.security.impl.SAMLProtocolMessageXMLSignatureSecurityHandler.doEvaluate(SAMLProtocolMessageXMLSignatureSecurityHandler.java:147)
2023-05-12 11:13:25,545 - WARN [org.opensaml.profile.action.impl.LogEvent:101] - A non-proceed event occurred while processing the request: MessageAuthenticationError</em>
Cause
Auth0 SAML connection had sign request enabled, but the certificate had not been uploaded on the Shibboleth side.
Solution
Download the certificate to sign the SAML request by:
- Navigate to the Dashboard.
- Click on Connection and select the Shibboleth connection.
- Click on the certificate link under Sign Request.
NOTE: If left blank, the algorithm and algorithm digest default to RSA-SHA256 and SHA256.