This article explains why an error occurs when using node-saml version 4.0.0 or newer to set up Auth0 as a Security Assertion Markup Language (SAML) Identity Provider (IdP). When this configuration is attempted, the following error may be encountered:

Invalid Signature

or

Invalid document signature

• SAML connection

As of version 4.0.0, node-saml expects, by default, that both the top-level response and assertion are signed, based on the README.md file for this version. When acting as the IdP Auth0 signs only the assertion and it does not support both assertion and top level response to be signed.

To resolve the error, adjust the node-saml configuration to expect only the assertion to be signed.

1. In the node-saml configuration file, locate the signature validation parameters.

2. Use the wantAssertionsSigned and wantAuthnResponseSigned parameters to configure it to only validate the signature of the assertion.