auth0 · avanscoy · Feb 23, 2026 · Apr 29, 2026 · Apr 29, 2026
@@ -858,6 +858,7 @@
                       "group": "SAML",
                       "pages": [
                         "docs/authenticate/protocols/saml",
+                        "docs/authenticate/identity-providers/enterprise-identity-providers/ping-federate",
                         "docs/authenticate/protocols/saml/saml-identity-provider-configuration-settings",
                         {
                           "group": "SAML Configuration",

@@ -37,6 +37,10 @@ With PingFederate Server, Auth0 acts as the service provider, so you will need t
 
 Before you upload the X.509 signing certificate to Auth0, you must convert the file to Base64. To do this, either use a [simple online tool](https://www.base64decode.org/) or run the following command in Bash: `cat signing-cert.crt | base64`.
 
+## Assertion encryption
+
+If your SAML assertions are encrypted, you must [set additional values](/docs/authenticate/protocols/saml/saml-sso-integrations/algorithm-profiles) for your connection to tell Auth0 how to handle decryption.
+
 ## Create an enterprise connection in Auth0
 
 Next, if your server is configured in the standard way, you will need to create and configure a PingFederate Enterprise Connection in Auth0 and upload your X.509 signing certificate. This task can be performed using Auth0's Dashboard.
@@ -57,7 +61,7 @@ If additional setup is required for your server (such as attribute mapping), the
 | **Connection name** | Logical identifier for your connection; it must be unique for your tenant. Once set, this name can't be changed. |
 | **PingFederate Server URL** | URL for your PingFederate Server. |
 | **X.509 Signing Certificate** | PingFederate Server public key (encoded in PEM or CER) you retrieved from the IdP earlier in this process. |
-| **Sign Request** | When enabled, the SAML authentication request will be signed. (Be sure to download and provide the PingFederate server with your [tenant's certificate](https://{yourDomain}/pem).) |
+| **Sign Request** | When enabled, the SAML authentication request will be signed. (Be sure to download and provide the PingFederate server with your [tenant's certificate](https://{yourDomain}/pem).) <Callout icon="file-lines" color="#0EA5E9" iconType="regular">If your SAML assertions are encrypted, you must [set additional values](/docs/authenticate/protocols/saml/saml-sso-integrations/algorithm-profiles) for your connection to tell Auth0 how to handle decryption.</Callout> |
 | **Sign Request Algorithm** | Algorithm Auth0 will use to sign the SAML assertions. Ensure this matches your PingFederate Server's configuration. |
 | **Sign Request Digest Algorithm** | Algorithm Auth0 will use for the sign request digest. Ensure this matches your PingFederate Server's configuration. |
 | **Sync user profile attributes at each login** | When enabled, Auth0 automatically syncs user profile data with each user login, thereby ensuring that changes made in the connection source are automatically updated in Auth0. |
@@ -84,4 +88,4 @@ To use your new PingFederate enterprise connection, you must first [enable the c
 
 ## Test the connection
 
-Now you're ready to [test your connection](/docs/authenticate/identity-providers/enterprise-identity-providers/test-enterprise-connections).
+Now you're ready to [test your connection](/docs/authenticate/identity-providers/enterprise-identity-providers/test-enterprise-connections).
@@ -41,6 +41,10 @@ With SAML Login, Auth0 acts as the service provider, so you will need to retriev
 
 You can use the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> or the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Auth0+Dashboard">Auth0 Dashboard</Tooltip> to upload the X.509 signing certificate. If you use the Management API, you must convert the file to Base64. To do this, either use a [simple online tool](https://www.base64decode.org/) or run the following command in Bash: `cat signing-cert.crt | base64`.
 
+## Assertion encryption
+
+If your SAML assertions are encrypted, you must [set additional values](/docs/authenticate/protocols/saml/saml-sso-integrations/algorithm-profiles) for your connection to tell Auth0 how to handle decryption.
+
 ## Create an enterprise connection in Auth0
 
 Next, you will need to create and configure a SAML Enterprise Connection in Auth0 and upload your X.509 signing certificate. This task can be performed using either Auth0's Dashboard or Management API.

@@ -0,0 +1,21 @@
+---
+description: Learn about Auth0's algorithm profiles.
+title: Algorithm Profiles
+validation: 2026-04-30
+---
+
+Auth0 supports predefined Algorithm Profiles to provide an easy way to specify a list of secure cryptographic algorithms without specifying each algorithm individually for your use case. These profiles represent a predefined set of algorithms that provide a baseline for the intended usage pattern.
+
+## Naming conventions
+
+Profiles are named for the year they were created with an incrementing number to represent subsequent releases in the same year. The latest version of the profile should be used where possible for the most secure configuration.
+
+## Supported profiles
+
+Auth0 as SAML service provider (SP)
+
+| **Profile** | **Supported Algorithms**|
+| ----------------- | ----------- |
+| `v2026-1` | <ul> <li>http://www.w3.org/2009/xmlenc11#aes128-gcm</li> <li>http://www.w3.org/2009/xmlenc11#aes192-gcm</li> <li>http://www.w3.org/2009/xmlenc11#aes256-gcm</li> </ul> |
+
+To learn more about configuring a connection’s authentication profile, read [Sign and Encrypt SAML Requests](/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests).
@@ -41,12 +41,11 @@ Payload:
 		"options" : {
 			[...], // all the other connection options
 		  "deflate": false
-	}
+    }
+  }
 }
 ```
 
-
-
 ### Use a custom key to sign requests
 
 By default, Auth0 uses the tenant private key to sign SAML requests (when the **Sign Request** toggle is enabled). You can also provide your own private/public key pair to sign requests coming from a specific connection.
@@ -57,11 +56,6 @@ You can generate your own certificate and private key using this command:
 openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt
 ```
 
-
-
-
-
-
 Changing the key used to sign requests in the connection can't be done on the Dashboard UI, so you will have to use the [Update a Connection endpoint](https://auth0.com/docs/api/management/v2#!/Connections/patch_connections_by_id) from the <Tooltip tip="Management API: A product to allow customers to perform administrative tasks." cta="View Glossary" href="/docs/glossary?term=Management+API">Management API</Tooltip> v2, and add a `signing_key` property to the `options` object, as shown in the payload example below.
 
 Updating the `options` object for a connection overrides the whole `options` object. To keep previous connection options, get the existing `options` object and add new key/values to it.
@@ -114,6 +108,33 @@ Use the following links to obtain the public key in different formats:
 
 Download the certificate in the format requested by the IdP.
 
+#### Set Content Decryption Algorithms
+
+By default, Auth0 automatically supports the algorithms listed in the latest [Algorithm Profile](/docs/authenticate/protocols/saml/saml-sso-integrations/algorithm-profiles) for decrypting SAML assertions. 
+
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+If the assertion is encrypted with an algorithm not in the list, then the assertion will be rejected by Auth0.
+</Callout>
+
+To specify a different profile or use an unlisted algorithm, you need to update the connection using the [Update a Connection](https://auth0.com/docs/api/management/v2/connections/patch-connections-by-id) endpoint and change the `assertion_decryption_settings` property as shown in the payload example below.
+
+When you update the options object for a connection, the new configuration overrides the whole `options` object. To keep previous connection options, get the existing options object and add new key/values to it.
+
+Endpoint: `https://{yourDomain}/api/v2/connections/{yourConnectionId}`
+Payload:
+
+```json
+{
+  "options": {
+    [...], // all the other connection options
+    "assertion_decryption_settings": {
+      "algorithm_profile": "v2026-1",
+      "algorithm_exceptions": []
+    }
+  }
+}
+```
+
 ### Use your key pair to decrypt encrypted responses
 
 As noted above, Auth0 will by default use your tenant's private/public key pair to handle encryption. You can also provide your own public/private key pair if an advanced scenario requires so.