"Unable to verify signature" Error on SAML Connection

Problem statement

SAML connection ‘connect-X’ is failing.

Clients that use the connection ‘connect-X’ report that they are unable to log in via SSO. Tenant logs show repeated instances of the error Unable to verify the signature for all login attempts that use that connection.

Symptoms

• All user attempts to log in via the affected SAML connection will result in login failure.
• Login failures that are triggered by this problem result in errors of the type ‘Failed Login ( f )’ and the description “Unable to verify the signature.”
• The onset of this type of failure can be traced to a specific time and date.

Troubleshooting

1. Opening up a sample tenant log will show details similar to this:

 "details": {
    "body": {
      "RelayState": "NYq-WSJSZu5E5DO_R4bQJxo8x0ormGxS",
      "SAMLResponse": "PHNhbWxwOlJlc3BvbnNlIFZlcnNpb249IjIuMCIgSUQ9IlN ......."  [ full output omitted ]
       }
}

2. Copy and paste the full SAMLReponse into a decoder tool such as samltool.io : expect to see a status message of this type:

<samlp:Status>
       <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder"/>
       <samlp:StatusMessage>
           Unable to verify the signature
        </samlp:StatusMessage>
      </samlp:Status>

3. The log event will also contain error details in this form:

"error": {
      "message": "Unable to verify the signature",
      "oauthError": "Unable to verify the signature",
      "type": "unauthorized",
      "uri": null
    }

Cause

Common reasons for encountering the “Unable to verify the signature” error are as follows:

• The identity provider (IdP) has not been configured to use the correct signing certificate, which is required to validate incoming SAMLRequests.
• A recent change may have been made to the IdP configuration.
• A recent change to Rules/Actions in the Auth0 tenant may have resulted in unexpected outcomes.

Solution

1. Rules/Actions that process SAML connections should be checked for recent changes. Try temporarily disabling those specific Rules/Actions one at a time.
2. If the source of the problem cannot be traced to Rules/Actions, then it will be necessary to update the IdP with the correct signing certificate.

• The public key for the SAML certificates can be presented in a variety of different formats, as discussed here: Signed assertions.
• Download the certificate in the format that is required by the IdP.
  • CER
  • PEM
  • raw PEM
  • PKCS#7
  • Fingerprint

This certificate contains the public key; it must be provided to the IdP service provider. Consult the IdP documentation to find guidance on how to update the certificate on the IdP.

If this does not solve the problem, then customers with a paid subscription or trial period should:

a) Capture a HAR trace file of the Failed Login event.

• Google HAR Analyzer (Use of a Chrome browser is recommended for this task).

• When recording the HAR file, select “Preserve Log” (if your browser supports this feature).

• If there is any ‘sensitive’ information in the HAR file (e.g., client secrets, passwords), we recommend removing all secrets in the HAR file and replacing such items with the string “XXXX”.

• If the file is greater than 15MB, please zip it up.

b) Open a ticket in the support center and attach the HAR file, together with a clear description of the problem.

Customers with a Free subscription should post a question to our Community forum.