Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Exception while validating SAML2 Authentication response



You use SAML mechanism to provide a Single-Sign- On (“SSO”) facility for Pega 7.1.7 system. IdP server is setup to require digital signatures.
Require digitally signed AuthN requests true
Always sign the SAML Assertion true
On Pega 7.1.7 the checkbox labelled ‘Disable Signature’ is checked on SAML ‘Auth Rule’.
When you perform an SSO from Pega 7.1.7, an error is displayed in the browser:

Error Messages

Unable to process the SAML WebSSO request : Unable to process SAML2 Authentication response : Caught Exception while validating SAML2 Authentication response protocol : Received SAML token with invalid status code : urn:oasis:names:tc:SAML:2.0:status:Requester
The SAML TRACER tool provides the complete version of the error message:

        <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Requester" />
        <samlp:StatusMessage>Signature required</samlp:StatusMessage>

Steps to Reproduce

1. Configure IdP server to require digital signatures
2. Configure Pega 7.1.7’s Auth Rule with the option ‘Disable Signature’ switched ON

3. Attempt an SSO operation

Root Cause

The root cause of this problem is defect/misconfiguration in the operating environment. If the IdP requires a Digital Signature – you are required to switch OFF the option labelled ‘Disable Signature’ - and provide the required digital certificate to both Pega 7.1.7 and the IdP server.


If your IdP server requires digital signatures - It is necessary to configure Pega 7.1.7’s Auth Rule such that is is able to provide the required Digital Signatures. This means you must create or obtain a DSA (or RSA) KeyPair (that you have the passwords for the Private Key for) – this keypair (contained in a JKS keystore) must be uploaded to Pega 7.1.7. It is then necessary to provide the certificate ( the Public Key portion of the keypair) to the IdP server.

Here are the overall steps (assuming you do not already have a keypair available).

1. Create your keypair – using standard Java Tools – or a graphical third-party tool such as ‘KeyStore Explorer’.
2. Upload the keystore which contains your keypair to Pega 7.1.7 (Create a ‘keystore’ rule – this will require you to know the ‘keystore password’).
3. On your Pega 7.1.7 ‘Auth’ Rule: ensure the ‘Disable Signature’ option is switched OFF.
4. Reference the keystore rule on the Auth Rule form and choose the correct-keypair from the drop-down. This will require you to know the ‘keypair password’ (note that the two passwords needed here are ‘keystore’ and ‘keypair).
5. Save the SAML Auth Rule and use the option ‘Download SP metadata’
6. Upload the metadata to your IdP server.

Here are the example screenshots illustrating the process – this happens to be using the graphical ‘Keystore Explorer 5.1’ tool - note only a test self-signed key is generated and used here.


Save the entire Keystore (which contains only a single keypair as it happens).
In you Pega 7.1.7 application, navigate to Create>Security>Keystore to create a Keystore and upload the saved file.

Once the 'SP' metadata XML file is saved above, upload it to the IdP server and retry the SSO procedure from Pega 7.1.7.

Published June 12, 2015 - Updated October 8, 2020

Was this useful?

50% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us