For a custom Security Assertion Markup Language Identity Provider (SAML IdP) implementation, it is possible to see the following error in the Okta system logs: 

The digital signature in the SAML response did not validate with the Identity Provider's certificate

In some circumstances, decoding the response using samltool.io may result in one of the following errors under the signature section that show Invalid Signature:

XMLJS0013: Cryptographic error: Invalid digest for uri '#_abc123'. Calculated digest is value1= but the xml to validate supplies digest value2=

OR

The calculated signature does not match the signature of the message.

• Identity Provider (IdP)
• Security Assertion Markup Language Identity Provider (SAML IdP)
• Single Sign On (SSO)

The error can be related to several possible configuration issues:

• A mismatched certificate.
• A SAML response is sent as both a POST body and a parameter in the same request.
• URL encoding a SAML response being sent in a POST.
• An unsupported Transform Algorithm. 

• Ensure that the certificate used by the IdP to sign the SAML response matches the certificate uploaded to Okta's IdP configuration.
  • When sending a SAML response in a POST body, the raw XML should be Base64 encoded only.
  • When sending a SAML response as a parameter in a GET request, the raw XML should be gzip-deflated, Base64 encoded, then URL encoded.
• Ensure that the SAML response is either sent in the body of a POST request or as a parameter in a GET request, but not both.
• Use a supported transform algorithm such as http://www.w3.org/2001/10/xml-exC-c14n#