Problem statement
It is possible to create a SAML connection through the Management API and provide a signing certificate (options.signingCert) in one of two formats:
- a PEM certificate with new lines encoded.
- a PEM certificate where the full content is encoded in base64.
However, when using the first format this may then lead to issues if a SAML assertion is received without the public key embedded in the assertion itself as the server will expect the signing certificate to always be in the second format.
Symptoms
One of the potential error messages returned is:
error:1E08010C:DECODER routines::unsupported
When reviewing the associated SAML Response, there will not be a public key included as one of the SAML Response elements.
Steps to reproduce
- Upload the signing certificate via Auth0 Management console ( UI ) - Fetching the connection via Management API and notice that signing certificate is encoded:
{
...
"signingCert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUI3..."
...
}
- Upload the same signing certificate via Auth0 Management API (not base 64 encoded) - results in signingCert value being uploaded as not base 64 encoded:
{
...
"signingCert": "-----BEGIN CERTIFICATE-----\r\nMIIC+jCCAeKgAwIBAgIJM..."
...
}
- With this connection, the IdP will need to send a SAML Response without the signing certificate as a SAML element in order for an error to be thrown.
Cause
It’s possible to set the signingCert value to a non-encoded certificate and it will work so long as the IdP sends the public key in the response. If the key is not present then signature validation will fail.
When a non-encoded certificate is uploaded via the dashboard it will be automatically encoded, but this is not the case when setting the signingCert directly via the Management API.
Solution
Ensure that the configured SAML connection is using a base 64 encoded signing certificate in order to avoid the potential issue of an IdP not sending a public key in the SAML Response.