From 040fb8f8413baeec8fda7674facb2095f34ac6e6 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Mon, 30 Mar 2026 15:20:46 +0200 Subject: [PATCH 01/11] Update sign-and-encrypt-saml-requests.mdx --- .../sign-and-encrypt-saml-requests.mdx | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 3ce5593d48..2d6675b9d0 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -248,7 +248,7 @@ To configure signature validation: ### Send encrypted SAML authentication assertions -If Auth0 is the SAML identity provider, you can use [Actions](/docs/customize/actions) to encrypt the SAML assertions it sends. +If Auth0 is the SAML identity provider, you can use [Actions](/docs/customize/actions) to encrypt the SAML assertions it sends. You can also select the encryption algorithm used for assertion encryption. Auth0 recommends using `aes256-gcm` for a stronger security posture. You must obtain the certificate and the public key from the service provider. If you only got the certificate, you can derive the public key using `openssl`. Assuming that the certificate file is named `certificate.pem`, you can run: @@ -271,6 +271,7 @@ exports.onExecutePostLogin = async (event, api) => { api.samlResponse.setEncryptionCert(encryptionCert); api.samlResponse.setEncryptionPublicKey(encryptionPublicKey); + api.samlResponse.setEncryptionAlgorithm("aes256-gcm"); } }; ``` @@ -280,11 +281,23 @@ exports.onExecutePostLogin = async (event, api) => { -The following algorithms are used: +The following algorithms are supported for assertion encryption: -* [AES256](http://www.w3.org/2001/04/xmlenc#aes256-cbc) for assertion encryption +* [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. +* [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. * [RSA-OAEP](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport + +Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs, when an encryption algorithm is not set using `setEncryptionAlgorithm`. + + + +Auth0 intends to change the default encryption algorithm to `aes256-gcm` and recommends to set the algorithm using `setEncryptionAlgorithm`. +If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. +Before switching to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. + + + ## Learn more * [Work with Certificates and Keys as Strings](/docs/authenticate/protocols/saml/saml-sso-integrations/work-with-certificates-and-keys-as-strings) From eec98f8d524a3431136b6ab93a994958df47bb52 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Mon, 30 Mar 2026 15:34:17 +0200 Subject: [PATCH 02/11] Update sign-and-encrypt-saml-requests.mdx --- .../saml-sso-integrations/sign-and-encrypt-saml-requests.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 2d6675b9d0..7108ba77ea 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -292,8 +292,8 @@ Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in y -Auth0 intends to change the default encryption algorithm to `aes256-gcm` and recommends to set the algorithm using `setEncryptionAlgorithm`. -If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. +* Auth0 intends to change the default encryption algorithm to `aes256-gcm` and recommends to set the algorithm using `setEncryptionAlgorithm`. +* If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. Before switching to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. From 7e2ae3a249b9c4f66e33fb396717e59f0465da11 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Mon, 30 Mar 2026 15:40:54 +0200 Subject: [PATCH 03/11] Update sign-and-encrypt-saml-requests.mdx --- .../saml-sso-integrations/sign-and-encrypt-saml-requests.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 7108ba77ea..9fe3c69520 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -283,8 +283,8 @@ exports.onExecutePostLogin = async (event, api) => { The following algorithms are supported for assertion encryption: -* [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. -* [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. +* [AES-256-GCM](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. +* [AES-256-CBC](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. * [RSA-OAEP](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport From 857643e9b4749a562664f0d7ae1ac4f08bad542d Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Mon, 30 Mar 2026 15:44:24 +0200 Subject: [PATCH 04/11] Update sign-and-encrypt-saml-requests.mdx --- .../sign-and-encrypt-saml-requests.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 9fe3c69520..1413fdad54 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -283,9 +283,9 @@ exports.onExecutePostLogin = async (event, api) => { The following algorithms are supported for assertion encryption: -* [AES-256-GCM](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. -* [AES-256-CBC](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. -* [RSA-OAEP](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport +* [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. +* [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. +* [rsa-oaep](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport. Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs, when an encryption algorithm is not set using `setEncryptionAlgorithm`. From 03a344e4465e6379b884c42145a7ad523eab2bba Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Mon, 30 Mar 2026 15:53:53 +0200 Subject: [PATCH 05/11] Update sign-and-encrypt-saml-requests.mdx --- .../sign-and-encrypt-saml-requests.mdx | 17 +---------------- 1 file changed, 1 insertion(+), 16 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 1413fdad54..9e48303628 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -215,11 +215,6 @@ exports.onExecutePostLogin = async (event, api) => { }; ``` - - - - - To learn how to turn the private key and certificate files into strings that you can use in a rule, see [Work with Certificates and Keys and Strings](/docs/authenticate/protocols/saml/saml-sso-integrations/work-with-certificates-and-keys-as-strings). ### Receive signed SAML authentication requests @@ -239,12 +234,7 @@ To configure signature validation: [...], // other settings "signingCert": "-----BEGIN CERTIFICATE-----\nMIIC8jCCAdqgAwIBAgIJObB6jmhG0QIEMA0GCSqGSIb3DQEBBQUAMCAxHjAcBgNV\n[..all the other lines..]-----END CERTIFICATE-----\n" } - ``` - - - - - + ``` ### Send encrypted SAML authentication assertions @@ -276,11 +266,6 @@ exports.onExecutePostLogin = async (event, api) => { }; ``` - - - - - The following algorithms are supported for assertion encryption: * [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. From 63fa9a71e81abc31b1b1d8303240064fdb52c5a2 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Thu, 9 Apr 2026 12:27:01 +0200 Subject: [PATCH 06/11] Update sign-and-encrypt-saml-requests.mdx --- .../sign-and-encrypt-saml-requests.mdx | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 9e48303628..c3d0d5576d 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -266,19 +266,21 @@ exports.onExecutePostLogin = async (event, api) => { }; ``` -The following algorithms are supported for assertion encryption: +Auth0 supports the following algorithms for assertion encryption: * [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. * [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. -* [rsa-oaep](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) for key transport. +* [rsa-oaep](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) used for key transport. Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs, when an encryption algorithm is not set using `setEncryptionAlgorithm`. + +Auth0 intends to change the default encryption algorithm to aes256-gcm and recommends to set the algorithm using setEncryptionAlgorithm. This will suppress the deprecation warning and ensure that your integration behaves predictably when the default changes in a future release. + -* Auth0 intends to change the default encryption algorithm to `aes256-gcm` and recommends to set the algorithm using `setEncryptionAlgorithm`. -* If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. +If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. Before switching to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. From 6bea5ed9bd0f5f8f4d7882f3b1a9b341caa2e459 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Thu, 9 Apr 2026 18:33:03 +0200 Subject: [PATCH 07/11] Update sign-and-encrypt-saml-requests.mdx --- .../sign-and-encrypt-saml-requests.mdx | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index c3d0d5576d..36bf81b11c 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -261,7 +261,7 @@ exports.onExecutePostLogin = async (event, api) => { api.samlResponse.setEncryptionCert(encryptionCert); api.samlResponse.setEncryptionPublicKey(encryptionPublicKey); - api.samlResponse.setEncryptionAlgorithm("aes256-gcm"); + api.samlResponse.setEncryptionAlgorithm("aes256-gcm"); } }; ``` @@ -273,15 +273,13 @@ Auth0 supports the following algorithms for assertion encryption: * [rsa-oaep](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) used for key transport. -Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs, when an encryption algorithm is not set using `setEncryptionAlgorithm`. - -Auth0 intends to change the default encryption algorithm to aes256-gcm and recommends to set the algorithm using setEncryptionAlgorithm. This will suppress the deprecation warning and ensure that your integration behaves predictably when the default changes in a future release. - +When an Action does not use the object `api.samlResponse.setEncryptionAlgorithm` to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. -If your Action code does not explicitly use `setEncryptionAlgorithm`, its algorithm will change when the new default algorithm takes effect. -Before switching to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. +* Auth0 intends to change the default encryption algorithm to `aes256-gcm`. +* Update your Action code to set the encryption to `aes256-gcm` using the object `api.samlResponse.setEncryptionAlgorithm`. This supresses the deprecation warning and ensures that your integration behaves predictably when the default algorithm changes. +* Before setting the algorithm to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. From 81de8581945a0399b54d157fca826dc4d7732944 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Fri, 10 Apr 2026 11:02:00 +0200 Subject: [PATCH 08/11] Apply suggestion from @hazel-nut MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Hazel Virdó --- .../sign-and-encrypt-saml-requests.mdx | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 36bf81b11c..38c358cd2b 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -277,9 +277,12 @@ When an Action does not use the object `api.samlResponse.setEncryptionAlgorithm` -* Auth0 intends to change the default encryption algorithm to `aes256-gcm`. -* Update your Action code to set the encryption to `aes256-gcm` using the object `api.samlResponse.setEncryptionAlgorithm`. This supresses the deprecation warning and ensures that your integration behaves predictably when the default algorithm changes. -* Before setting the algorithm to `aes256-gcm`, verify that your SAML service provider supports it. If it does not, contact your service provider vendor to request support. +The default encryption algorithm will change to `aes256-gcm` on . Actions currently issue a deprecation warning when using , and . + +For consistent behavior after the default algorithm changes, we recommend switching to `aes256-gcm`: + +1. Verify that your SAML service provider supports `aes256-gcm`, and contact them for support if they do not. +2. Set the encryption in your Action code with `api.samlResponse.setEncryptionAlgorithm("aes256-gcm");`. From 00eab177c17c72cfd004e598f81c8676b2cbe9b3 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Fri, 10 Apr 2026 11:02:43 +0200 Subject: [PATCH 09/11] Update main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Hazel Virdó --- .../sign-and-encrypt-saml-requests.mdx | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 38c358cd2b..f04c10355c 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -268,13 +268,9 @@ exports.onExecutePostLogin = async (event, api) => { Auth0 supports the following algorithms for assertion encryption: -* [aes256-gcm](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(Recommended)** Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. -* [aes256-cbc](http://www.w3.org/2001/04/xmlenc#aes256-cbc) Default. It does not provide integrity guarantees. -* [rsa-oaep](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p) (including MGF1 and SHA1) used for key transport. - - -When an Action does not use the object `api.samlResponse.setEncryptionAlgorithm` to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. - +* [`aes256-gcm`](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(recommended)**: Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. +* [`aes256-cbc`](http://www.w3.org/2001/04/xmlenc#aes256-cbc) (default): It does not provide integrity guarantees. When an Action does not use the object `api.samlResponse.setEncryptionAlgorithm` to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. +* [`rsa-oaep`](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p), including MGF1 and SHA1 used for key transport. The default encryption algorithm will change to `aes256-gcm` on . Actions currently issue a deprecation warning when using , and . From ac8a8cb5a57283f2ef5cace2981db08be7ae4561 Mon Sep 17 00:00:00 2001 From: Carlos Fung Date: Fri, 10 Apr 2026 11:07:49 +0200 Subject: [PATCH 10/11] Update sign-and-encrypt-saml-requests.mdx --- .../saml-sso-integrations/sign-and-encrypt-saml-requests.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index f04c10355c..00f4fbb601 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -273,12 +273,12 @@ Auth0 supports the following algorithms for assertion encryption: * [`rsa-oaep`](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p), including MGF1 and SHA1 used for key transport. -The default encryption algorithm will change to `aes256-gcm` on . Actions currently issue a deprecation warning when using , and . +Auth0 intends to update the default encryption algorithm to `aes256-gcm`. For consistent behavior after the default algorithm changes, we recommend switching to `aes256-gcm`: 1. Verify that your SAML service provider supports `aes256-gcm`, and contact them for support if they do not. -2. Set the encryption in your Action code with `api.samlResponse.setEncryptionAlgorithm("aes256-gcm");`. +2. Set the encryption algorithm in your Action code with `api.samlResponse.setEncryptionAlgorithm("aes256-gcm");`. From 67fdb8d75a3897284ef75b1ffb372cac0de3a465 Mon Sep 17 00:00:00 2001 From: Carlos Date: Fri, 10 Apr 2026 11:35:43 +0200 Subject: [PATCH 11/11] update --- .../saml-sso-integrations/sign-and-encrypt-saml-requests.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx index 00f4fbb601..8b2ffa3a87 100644 --- a/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx +++ b/main/docs/authenticate/protocols/saml/saml-sso-integrations/sign-and-encrypt-saml-requests.mdx @@ -269,7 +269,7 @@ exports.onExecutePostLogin = async (event, api) => { Auth0 supports the following algorithms for assertion encryption: * [`aes256-gcm`](http://www.w3.org/2001/04/xmlenc#aes256-gcm) **(recommended)**: Authenticated encryption that provides both confidentiality and integrity. It is resistant to format validity oracle attacks. -* [`aes256-cbc`](http://www.w3.org/2001/04/xmlenc#aes256-cbc) (default): It does not provide integrity guarantees. When an Action does not use the object `api.samlResponse.setEncryptionAlgorithm` to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. +* [`aes256-cbc`](http://www.w3.org/2001/04/xmlenc#aes256-cbc) (default): It does not provide integrity guarantees. When an Action does not use the object [`api.samlResponse.setEncryptionAlgorithm`](/docs/customize/actions/explore-triggers/signup-and-login-triggers/login-trigger/post-login-api-object#api-samlresponse-setencryptioncert-encryptioncert) to set the encryption algorithm, Auth0 defaults to the `aes256-cbc` algorithm and logs a deprecation warning in your tenant logs. * [`rsa-oaep`](http://www.w3.org/2001/04/xmlenc#rsa-oaep-mgf1p), including MGF1 and SHA1 used for key transport.