<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D54z000078d8p3CAAOkta Classic EngineSingle Sign-OnAnswered2024-08-29T13:42:19.000Z2021-08-26T14:05:35.000Z2021-09-24T13:03:32.000Z

JuanS.86776 (Avalon Healthcare Solutions) asked a question.

August 26, 2021 at 2:05 PM
ErrorMessage: The digital signature in the SAML response did not validate with the Identity Provider's certificate

Hello Community,

 

First time here.

 

I am getting the following error message when a client is attempting to SSO into my application. in the SAML, the X509 Certificate (<X509Certificate> in the SAML) is the same x509 value as the one he sent me to upload.

 

"The digital signature in the SAML response did not validate with the Identity Provider's certificate"

 

Can someone help shine what to do next. I have exhausted all options I can think of.

 

I will add, due to this being an IdP initiated flow, the client told me he did not need my cert. Not sure if this is correct.

 

Best,

  • 7 answers
  • 3.8K views

  • User16254393570754125507 (Okta)

    Hello @JuanS.86776 (Avalon Healthcare Solutions)​ ,

     

    Yes, you need the IdP's certificate.

     

    Are you writing your own SP? Most SPs or SAML libraries come with functionality to do this.

     

    Regards,

     

    Natalia

    Okta Inc.

     

     

    Expand Post

    • JuanS.86776 (Avalon Healthcare Solutions)

      My client (who is the IdP) sent me their 509 cert and I have uploaded in in okta. When he captures a SAML trace, the cert in the trace matches the one he sent me. The error is throwing me off because the certs match.

  • User16254393570754125507 (Okta)

    Hello @JuanS.86776 (Avalon Healthcare Solutions)​ ,

     

    Thank you for following up.

     

    Can you check if you have the Private Key, this is also required?

     

    Regards,

     

    Natalia

    Okta Inc.

    Expand Post

  • JuanS.86776 (Avalon Healthcare Solutions)

    Natalia,

     

    I'm not sure what you mean by me having the Private Key.

     

    I have my clients cert that I uploaded in okta. I gave him my cert but he said he doesn't need it.

     

    Should I ask him to include my cert in the Response?

    Expand Post

  • User16254393570754125507 (Okta)

    Hello @JuanS.86776 (Avalon Healthcare Solutions)​,

     

    Thank you for following up.

     

    You need certificates on both sides during the exchange, also please confirm if the Certificates are not expired.

     

    Here are some links that you can check for troubleshooting this error:

     

    https://www.samltool.com/validate_response.php

     

    https://helpx.adobe.com/in/enterprise/kb/tshoot-fed-id.html >>> go to the session: Error "The digital signature in the SAML response did not validate with the identity provider's certificate"

     

    Regards,

     

    Natalia

    Okta Inc.

     

     

     

     

    Expand Post

  • JuanS.86776 (Avalon Healthcare Solutions)

    Natalia,

     

    I was able to fix the issue, it looks like they were not signing the assertion. They were just sending the cert in the response.

  • u5a9y (u5a9y)

    Sorry Juan, Can you please explain the fix details? I am getting the same issue for Azure AD Idp. Thanks.

This question is closed.
Loading
ErrorMessage: The digital signature in the SAML response did not validate with the Identity Provider's certificate