Support Article
SAML: Signature does not validate against the credential's key
SA-10439
Summary
"SAML signature validation failed" error during log in with SAML AutheService.
Error Messages
Caught Exception while processing SAML2 Authentication response
com.pega.pegarules.pub.PRRuntimeException: Caught Exception while validating SAML2 Authentication response protocol : SAML signature validation failed
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:185)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.validateResponse(PRSAMLv2Utils.java:519)
at com.pega.pegarules.integration.engine.internal.util.PRSAMLv2Utils.processAuthenticationResponse(PRSAMLv2Utils.java:488)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.step15_circum0(ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.java:1518)
at com.pegarules.generated.activity.ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.perform(ra_action_pysamlwebssoauthenticationactivity_02ab975d06af72caead767130cb77400.java:350)
at com.pega.pegarules.session.internal.mgmt.Executable.doActivity(Executable.java:3375)
at com.pega.pegarules.session.internal.mgmt.authentication.AuthenticationUtil.runActivity(AuthenticationUtil.java:208)
at com.pega.pegarules.session.internal.mgmt.authentication.SchemePRCustom.authenticateOperator(SchemePRCustom.java:695)
.
.
.
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:775)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:905)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1865)
Caused by:
org.apache.wss4j.common.ext.WSSecurityException: SAML signature validation failed
Original Exception was org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:634)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validateAssertion(SAMLv2ResponseProtocolValidator.java:287)
at com.pega.pegarules.integration.engine.internal.sso.saml.SAMLv2ResponseProtocolValidator.validate(SAMLv2ResponseProtocolValidator.java:152)
... 68 more
Caused by:
org.opensaml.xml.validation.ValidationException: Signature did not validate against the credential's key
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:79)
at org.apache.wss4j.common.saml.SamlAssertionWrapper.verifySignature(SamlAssertionWrapper.java:632)
... 70 more
Steps to Reproduce
Log in with SAML AutheService to observe the error.
Root Cause
The following was sent in the SAMLResponse attributes:
xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"
This caused problems with OpenSAML verification of the response.
Resolution
Remove namespace from the attributes to resolve the issue.
Published June 12, 2015 - Updated October 8, 2020
Have a question? Get answers now.
Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.