"Unable to verify signature" Error on SAML Connection

rueben.tiow · October 5, 2023, 4:01pm

Last Updated: Sep 16, 2024

Overview

Users attempting to log in with a SAML connection report that they cannot log in via SSO. Tenant logs show repeated instances of the following error for all login attempts that use that connection.

Unable to verify the signature

Symptoms:

All user attempts to log in via the affected SAML connection will result in a login failure.
Login failures that are triggered by this problem result in errors of the type Failed Login (f) and the description Unable to verify the signature.
The onset of this type of failure can be traced to a specific time and date.

Applies To

SAML connection
Login Failure

Cause

Common reasons for encountering the Unable to verify the signature error are:

The identity provider (IdP) has not been configured to use the correct signing certificate that is required to validate incoming SAMLRequests.
A recent change may have been made to the IdP configuration.
A recent change to Rules/Actions in the Auth0 tenant may have resulted in unexpected outcomes.

Solution

Rules / Actions that process SAML connections should be checked for recent changes. Try temporarily disabling those specific Rules /Actions one at a time
If the source of the the problem cannot be traced to Rules/Actions, then it will be necessary to update the IdP with the correct signing certificate.
- The public key for the SAML certificates can be presented in a variety of different formats, as discussed here: Signed assertions.
- Download the certificate in the format that is required by the IdP.
  - CER
  - PEM
  - raw PEM
  - PKCS#7
  - Fingerprint

This certificate contains the public key: it must be provided to the IdP service provider. Consult the IdP documentation to find guidance on updating the certificate on the IdP.

If the above steps do not solve the problem, then customers with a paid subscription or trial period should:

Capture a HAR trace file of the Failed Login event.
The use of a Chrome browser is recommended for this task.
- When recording the HAR file, select “Preserve Log” if the browser supports this feature).
- If there is any sensitive information in the HAR file ( e.g., client secrets, passwords ), we recommend removing all secrets in the HAR file and replacing such items with the string “ ***** ”.
- If the file is greater than 15MB, please zip the file.
Open a ticket in the support center and attach the HAR file with a clear description of the problem.

Customers with a Free subscription should post a question to our Community forum.

Topic		Replies	Views
Error “invalid thumbprint” from SAML Login Knowledge Articles saml , sso , error , invalid , invalid-thumbprint	1	7047	September 22, 2022
SAML Connection stops working Knowledge Articles saml , certificate , expire	1	1972	August 22, 2022
"Failed to read asymmetric key" when signing in through a new SAML connection Knowledge Articles saml , certificate	1	3843	March 10, 2022
SAML Assertion signature is invalid Help saml , saml2	4	8031	August 31, 2021
XMLJS0013: Cryptographic error: Invalid Digest for Uri Knowledge Articles	1	673	March 23, 2024

"Unable to verify signature" Error on SAML Connection

Overview

Applies To

Cause

Solution

Related Topics