Support multiple signing keys for enterprise SAML connection

Feature: Support multiple signing keys for enterprise SAML connection

Description: Recently Azure AD (now called Entra ID) started to alternate between two valid keys for a brief period of time prior the key rotation. That period can last anywhere between a day to multiple days until it finally settles on the new key to be used for the next month or so.

During that period a user trying to login can initiate the login session using any of the two currently valid keys, since they are alternating in the metadata endpoint randomly. The SAML enterprise connection on the other hand can use only a single signing key at any given time. As a result users get failed logins at random during that transitioning period.

Use-case: I am using the Universal Login form that you provide to login customers to both our own tenant at Auth0 and to their Azure AD directory using SAML. Our customers are getting increasingly frustrated by this issue as it will keep happening every month or so and there is nothing we can do about it. We have contacted your customer support (Auth0 Support Center) as well and they directed us to this forum.

Thank you.

Hi @simov,

Thanks for the feedback.

I’m going to close this is as a dupe of Better certificate rotation for SAML connections.

This topic was automatically closed after 3 days. New replies are no longer allowed.