XMLJS0013: Cryptographic error: Invalid Digest for Uri

Problem statement

This article explains some potential causes for an Identity Provider (IdP) SAML connection redirecting the end user to the login screen again instead of completing the login.

Symptoms

The error returned in the tenant logs/Opensearch indicate an invalid digital signature. The error starts "XMLJS0013: Cryptographic error: Invalid digest for URI"

Cause

This issue can be caused by the SAML signatures not matching between the Service Provider (SP) and IdP. However, the same error can occur in an SP-initiated request when the response gets returned to the SAML protocol URL (e.g., https://{tenant}.auth0.com/samlp/{connection_id}) instead of the callback URL (e.g., https://{tenant}.auth0.com/login/callback?connection={connection_name}).

There are other possible reasons, however, and this article is likely not a complete overview of all potential causes. Please check the Auth0 Community forums for other instances of this error.

Solution

Ensure the SAML signature between the SP and IdP match. The instructions below indicate how to download the certificate from your Auth0 tenant to upload to the IdP.

This certificate contains the public key: it must be provided to the IdP service provider. Consult the IdP documentation to find guidance on updating the certificate on the IdP.

Additionally, for an SP-initiated SAML request, ensure that the SAMLResponse gets returned to the correct callback URL. For example, https://{tenant}.auth0.com/login/callback?connection={connection_name}, instead of the SAML protocol URL like https://{tenant}.auth0.com/samlp/{connection_id}.

Another possibility, as outlined in our Community threads, is due to invalid linebreaks: SAML Connection Error ‘Signature check errors: invalid signature: for uri SUPPLIED_URI calculated digest is…’