Certificates Used in SAML
This article explains whether the following URLs reference the same default certificate for the Auth0 tenant:
- SAML
- Certificates
The certificates obtained using /pem and /pem?cert=connection endpoints are different. The /pem endpoint returns the tenant signing key, whereas the /pem?cert=connection endpoint returns the connection signing key, which is used to sign the connection (e.g., SAML requests) when Auth0 issues the request as a Service Provider (SP).
NOTE: Some old tenants created approximately ~5 years ago - before 2018 might give the same result for both the endpoints, but they should be treated as separate endpoints/certs, as explained above.
The certificates used by connections (e.g., SAML requests) can be downloaded from:
https://TENANT_DOMAIN/pem?cert=connection
Note that cert=connection is a fixed phrase. Do not replace connection with the connection name.
Also, the connection metadata endpoint will have this certificate:
https://TENANT_DOMAIN/samlp/metadata?connection=CONNECTION_NAME
In the /samlp/metadata endpoint, the connection name must be passed. It is not a fixed phrase in this case.
The certificate used by Applications or APIs (e.g., ID tokens, SAML responses) and the current signing cert (when Auth0 is the Identity Provider (IdP)) can be downloaded in three ways:
- The
https://TENANT_DOMAIN/pemendpoint - Go to the Auth0 dashboard under Applications, select an app, select Show Advanced Settings > Certificates > Download Certificate
- The certificate is also included in the SAML metadata file, which has the URL format:
https://TENANT_DOMAIN/samlp/metadata/CLIENT_ID
When the /pem endpoint with any parameter other than cert=connection is called, it will ignore the query parameters and always respond with the result of the /pem endpoint. See the example below:
https://TENANT_DOMAIN/pem?connection=connection_name
In the above case, the connection=connection_name is ignored, as the endpoint expects it to be /pem or /pem?cert=connection.
