This article explains some potential causes for an Identity Provider (IdP) SAML connection redirecting the end user to the login screen again instead of completing the login.

The error returned in the tenant logs/Opensearch indicate an invalid digital signature:

XMLJS0013: Cryptographic error: Invalid digest for uri

• Error

This issue can be caused by the SAML signatures not matching between the Service Provider (SP) and IdP. However, the same error can occur in an SP-initiated request when the response gets returned to the SAML protocol URL (e.g., https://{tenant}.auth0.com/samlp/{connection_id}) instead of the callback URL (e.g., https://{tenant}.auth0.com/login/callback?connection={connection_name}).

There are other possible reasons, however, and this article is likely not a complete overview of all potential causes. Please check the Auth0 Community forums for other instances of this error.
 

Ensure the SAML signature between the SP and IdP match. The instructions below indicate how to download the certificate from your Auth0 tenant to upload to the IdP.

• The public key for the SAML certificates can be presented in a variety of different formats, as discussed here.
• Download the certificate in the format that is required by the IdP.
  • CER
  • PEM
  • raw PEM
  • PKCS#7
  • Fingerprint

This certificate contains the public key, which must be provided to the IdP service provider. For guidance on updating the certificate on the IdP, consult the IdP documentation.

Additionally, for an SP-initiated SAML request, ensure that the SAMLResponse gets returned to the correct callback URL. For example, https://{tenant}.auth0.com/login/callback?connection={connection_name}, instead of the SAML protocol URL like https://{tenant}.auth0.com/samlp/{connection_id}.

Another possibility, as outlined in our Community threads, is due to invalid linebreaks: SAML Connection Error ‘Signature check errors: invalid signature: for uri SUPPLIED_URI calculated digest is…’