"Unable to verify signature" Error on SAML Connection

Overview

This article troubleshoots the login failures using a SAML SSO connection. These login attempts fail, appearing in tenant logs as ‘Failed Login (f)’ events with the following error message:

Unable to verify the signature

Applies To

• SAML connection
• Login Failure

Cause

The Unable to verify the signature error typically occurs for one of the following reasons:

• Signing certificate mismatch: The signing certificate used for the SAML Request did not match the certificate configured on the identity provider (IdP).
• The IdP configuration was recently modified.
• A recent change to Rules or Actions within the Auth0 tenant resulted in an unexpected outcome.

Solution

Resolving this involves confirming the correct configuration of the following settings and Rules/Actions:

Follow these steps to resolve the Unable to verify the signature error:

1. Verify and Update the Identity Provider (IdP) Signing Certificate:
   1. Confirm that the correct signing certificate is uploaded within the Auth0 tenant’s connection settings corresponding to the IdP.
   2. Download the current certificate from the Auth0 connection settings page. Ensure the download format matches the requirement specified by the IdP.
   3. Upload this downloaded certificate (which contains the public key) to the IdP configuration. Consult the IdP’s documentation for guidance on updating the certificate on their platform.
2. Review Auth0 Rules and Actions:
   1. Examine any Auth0 Rules or Actions configured to process SAML connections, checking for recent modifications that might correlate with the start of the issue.
   2. If a recently modified Rule or Action is identified as potentially relevant, temporarily disable it to test if the login succeeds. Test by disabling one Rule or Action at a time.
3. Contact Support (If Issue Persists):
   1. Open a ticket with the support center. Include a clear description of the problem encountered and attach the fully sanitized HAR file that captures the failed login attempt.
   2. Sanitize the generated HAR file to remove all sensitive information before submission.
      • Important: Do not upload zipped or compressed HAR files, as they cannot be sanitized automatically.
      • For detailed instructions, refer to:
        • Generate and Analyze HAR Files
        • How to Sanitize an HTTP Trace File Automatically