Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

SAML: Signature does not validate against the credential's key

SA-10439

Summary



"SAML signature validation failed" error during log in with SAML AutheService.

Error Messages



Caught Exception while processing SAML2 Authentication response
com.pega.pegarules.pub.PRRuntimeException: Caught Exception while validating SAML2 Authentication response protocol : SAML signature validation failed
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:185)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.validateResponse(PRSAMLv2Utils.java:519)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processAuthenticationResponse(PRSAMLv2Utils.java:488)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.step15_circum0(ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.java:1518)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.perform(ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.java:350)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pega.pegarules.session.internal.mgmt.authentication.AuthenticationUtil.runActivity(AuthenticationUtil.java:208)
at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRCustom.authenticateOperator(SchemePRCustom.java:695)
.
.
.
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1865)
Caused by:
org.apache.wss4j.common.ext.WSSecurityException: SAML signature validation failed
Original Exception was org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:634)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validateAssertion(SAMLv2ResponseProtocolValidator.java:287)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:152)
... 68 more
Caused by:
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
at org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:632)
... 70 more


Steps to Reproduce



Log in with SAML AutheService to observe the error.

Root Cause



The following was sent in the SAMLResponse attributes:

xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"

This caused problems with OpenSAML verification of the response.

Resolution



Remove namespace from the attributes to resolve the issue.
Suggest Edit

Published June 12, 2015 - Updated October 8, 2020

Did you find this content helpful? Yes No

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us