Auth0 Support Center - Custom Signing and Encryption Certificate in SAML SP Metadata

Custom Signing and Encryption Certificate in SAML SP Metadata

Sep 10, 2025

Overview

Is it possible to change the signing and encryption certificates of a SAML connection?

Solution

When you download the SP metadata for a SAML connection, there will be a "signing" certificate and an "encryption" certificate in the XML file. By default, they are the same since they are generated with the tenant default signing and encryption key used for SAML and WS-Federation connections. NOTE: This is not the same certificate used for SAML tokens issued by Auth0 (when Auth0 acts as SAML IdP).

The SP metadata: https://tenant.{us/eu/au}.auth0.com/samlp/metadata?connection={connection_name}

To update the "signing" certificate in the SP metadata, use the Management APIv2 to update the options.signing_key object in the connection settings, per the steps in Use a custom key to sign requests.

To update the "encrytion" certificate in the SP metadata, use the Management APIv2 to update the options.decryptionKey object in the connection settings, per the steps in Use your key pair to decrypt encrypted responses.