Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: Invalid Signature on SAML Response

Learn how to troubleshoot Invalid Signature on SAML Response.

Error

A user attempts to SSO, authenticates successfully to their IDP, returns to Foundry and sees this error message in Foundry:

Invalid Signature on SAML Response Fingerprint mismatch
 

Explanation

There is a certificate mismatch between the IDP and Foundry. The IDP is signing with a certificate that is different from the IDP certificate that is on record in Foundry.
 

Resolution

First, verify that in the  Foundry IDP configuration, that the IDP certificate and IDP certificate algorithm are correct and are the same certificate the identity provider uses to sign its SAML messages. If the identity provider is sending in the SAML Response a different certificate than the one entered in Foundry, this mismatch would cause this error. One way to check this is to inspect the SAML Response the identity provider sends with SAML Tracer. Look in the response for the certificate between the tags, and make sure the certificate text is the same as that in the Foundry identity provider config. If you mixed up certificates in the course of your setup, or make a series of changes, it's possible that you can have the wrong certificate in the Foundry IDP config.

For background, this is the flow in single sign-on:

  1. Your identity provider sends a SAML Response. This is triggered by IDP-initiated SSO, or from a SAML AuthnRequest from Foundry during SP-initiated SSO.
  2. The SAML Response contains a X509Certificate and a signature.
  3. Foundry calculates the fingerprint from the certificate in the SAML Response and compares it to the IDP certificate fingerprint in the Foundry IDP config. They must be identical. The IDP certificate fingerprint in the Foundry IDP config was calculated from the IDP certificate you entered, or if you did not enter a certificate, then from the IDP certificate fingerprint you entered.
  4. Next, using the certificate fingerprint generated from the certificate in the SAML Response, Foundry verifies the signature in the SAML Response to ensure it is valid.

If you believe the IDP certificate and IDP certificate algorithm in Foundry are correct and you continue to see this error, then contact EVERFI. We will need to investigate further. Is is possible that when your identity provider metadata was keyed into the Foundry IDP setup, that the fingerprint digest for your certificate was calculated incorrectly.