Question

Caught Exception while validating SAML2 Authentication response protocol : Signature is valid but signer is unknown

Hi!

I've got following error "Unable to process the SAML WebSSO request : Caught Exception while validating SAML2 Authentication response protocol : Caught Exception while validating SAML2 Authentication response protocol : Signature is valid but signer is unknown" when Pega ACS URL is called. Certificates for IdP and SP are the same and there are no mistakes in configuration on both sides. Could you give me advice what causes that issue?

***Moderator Edit-Vidyaranjan: Updated Platform Capability***

Comments

Keep up to date on this post and subscribe to comments

Pega
October 15, 2019 - 6:22am

Hi,

This exception is thrown when the SAML request which is signed by the certificate is not accepted the

IDP. Could you kindly check with your IDP team on why there is an issue on accepting this request that is signed? 

October 15, 2019 - 8:17am
Response to thaln

Are you sure? Because in this case pega is SP and Salesforce is IDP. Even if in Salesforce I'll disable verifying request signatures exception is thrown. I think it is related to SP because the exception is thrown when SAML Response is sent from IDP to SP. 

Pega
October 15, 2019 - 10:12am

Hi,

Which Pega version are you using? If it's 8.x, then verify if the certificate Alias loaded from IdP metadata is in lowercase or uppercase under Authentication service.

If it's in upper case then edit the Alias, remove the certificate signature and select the lowercase signature which displays by default with IdP.

Thank you,

October 16, 2019 - 7:56am
Response to goela1

Thanks for your suggestion, we are using 8.3 version. However, we've tried this scenario and nothing has changed. Also, we had 2 separate configs on one pega environment and one of them was working(no exception is thrown). Nothing was changed and the previously working one started to throw the same exception. Do you have any other ideas about what could happen?