detected a problem with assertion: Message was signed, but signature could not be verified

Cantor, Scott cantor.2 at
Mon Apr 28 17:27:45 EDT 2014

On 4/28/14, 2:08 PM, "Roy Spectech" <roygspectech8 at> wrote:
>I believe this has been discussed on this list previously.
>However, there seems to be disagreement on the solution tasks.

The solution is generic, obtain metadata corresponding to the appropriate
key and ensure the IdP is using it. What that entails is situational.

>OK, so either our side is signing with the wrong key or the
>IdP side is using the wrong key to decrypt.

No, this has nothing to do with decryption, and is about the IdP's
signature, not yours.

> It all comes down to which side needs to change? Is there a
>deterministic method of determining which side is using the wrong key?

No. The most plausible way at an SP in the absence of facts is to trace
the SAML message and compare the KeyInfo meterial in the signature to
what's in the metadata, but that doesn't tell you which is correct, only
that they don't match. And under no circumstances outside of testing
should you ever correct something based solely on something sent in a
message by somebody that could be an attacker.

> What log at the
>IdP side would we look at for that level of error?

There won't be any error at the IdP, it's happy to sign with any key it's
given, correct or not. Determining the key its using is a simple matter of
examining the configuration. You can supply them with the metadata you
have to be verified against that.

-- Scott

More information about the users mailing list