SSO Troubleshooting: SAML Response Status Message Of Signature Required
Learn how to resolve a PingFederate configuration error during SSO
What This Error Means
When using PingFederate as your identity provider, single sign‑on fails after authentication. Upon inspecting the SAML response, you see the following status message:
Signature required
This message appears within the SAML response status returned to Foundry.
Why This Happens
This error is caused by a PingFederate configuration setting that requires all authentication requests (AuthnRequests) from service providers to be digitally signed in a specific way.
Although Foundry does sign its AuthnRequests, PingFederate may still reject the request when this setting is enabled, resulting in the “Signature required” status message.
How to Resolve the Issue
When configuring Foundry as a service provider in PingFederate:
- Set Require digitally signed AuthN requests to false
After saving the change, retry the SSO login.
Additional Notes
- Foundry signs its AuthnRequests by default
- Despite this, customers report that disabling the Require digitally signed AuthN requests setting in PingFederate consistently resolves this error
- The exact reason PingFederate returns this error when the setting is enabled is unclear
Additional Resources
- PingFederate documentation: SPs may send signed SAML messages that require an IDP to have a signature verification certificate