Skip to content
English
Contact Support
  • There are no suggestions because the search field is empty.

SSO Troubleshooting: Invalid Signature on SAML Response

Learn how to resolve an invalid signature error during SSO

What This Error Means

During single sign‑on, a user successfully authenticates with their identity provider (IdP) but encounters the following error after returning to Foundry:

Invalid Signature on SAML Response
Fingerprint mismatch

Why This Happens

This error indicates a certificate mismatch between the identity provider and Foundry.

The identity provider is signing the SAML response with a certificate that does not match the certificate currently configured for that identity provider in Foundry.

How SSO Signature Validation Works

At a high level, SSO validation follows this flow:

  1. The identity provider sends a SAML response

    • This can occur during IdP‑initiated SSO or after Foundry sends an authentication request during SP‑initiated SSO

  2. The SAML response includes:

    • An X.509 certificate
    • A digital signature

  3. Foundry:

    • Extracts the certificate from the SAML response
    • Calculates the certificate fingerprint
    • Compares it to the fingerprint stored in the Foundry identity provider configuration

  4. If the fingerprints do not match, Foundry cannot verify the signature and blocks the login attempt

How to Resolve the Issue

  1. Open the identity provider configuration in Foundry

    • Verify the IDP certificate and certificate algorithm are correct

  2. Confirm the certificate configured in Foundry is the same certificate the identity provider uses to sign SAML responses

  3. Inspect the SAML response sent by the identity provider

    • Use SAML Tracer or a similar tool
    • Locate the certificate included in the response
    • Compare the certificate text to what is configured in Foundry

  4. If certificates were changed during setup or troubleshooting:

    • Ensure the correct certificate is saved in the Foundry identity provider configuration
    • Remove any outdated or unused certificates

If the Issue Persists

If the certificate and algorithm configured in Foundry appear correct and the error continues:

  • Contact Support for further investigation

In some cases, the certificate fingerprint may have been calculated incorrectly when the identity provider configuration was originally saved and may need to be re‑evaluated.