Problem statement
This article explains some potential causes for an Identity Provider (IdP) SAML connection redirecting the end user to the login screen again instead of completing the login.
Symptoms
The error returned in the tenant logs/Opensearch indicate an invalid digital signature. The error starts "XMLJS0013: Cryptographic error: Invalid digest for URI"
Cause
This issue can be caused by the SAML signatures not matching between the Service Provider (SP) and IdP. However, the same error can occur in an SP-initiated request when the response gets returned to the SAML protocol URL (e.g., https://{tenant}.auth0.com/samlp/{connection_id})
instead of the callback URL (e.g., https://{tenant}.auth0.com/login/callback?connection={connection_name})
.
There are other possible reasons, however, and this article is likely not a complete overview of all potential causes. Please check the Auth0 Community forums for other instances of this error.
Solution
Ensure the SAML signature between the SP and IdP match. The instructions below indicate how to download the certificate from your Auth0 tenant to upload to the IdP.
- The public key for the SAML certificates can be presented in a variety of different formats, as discussed here: Signed assertions
- Download the certificate in the format that is required by the IdP.
This certificate contains the public key: it must be provided to the IdP service provider. Consult the IdP documentation to find guidance on updating the certificate on the IdP.
Additionally, for an SP-initiated SAML request, ensure that the SAMLResponse gets returned to the correct callback URL. For example, https://{tenant}.auth0.com/login/callback?connection={connection_name}
, instead of the SAML protocol URL like https://{tenant}.auth0.com/samlp/{connection_id}
.
Another possibility, as outlined in our Community threads, is due to invalid linebreaks: SAML Connection Error ‘Signature check errors: invalid signature: for uri SUPPLIED_URI calculated digest is…’