signature validation failure

Bobby Lawrence robertl at
Wed Apr 6 16:55:10 UTC 2022

One more question....some background first....this SP recently underwent a key rollover a week ago.  They do not publish their metadata at a place where we can get it dynamically, but I went in and updated the X590Data->X509Certificate in our local copy of their metadata with their new certificate. 
So I don’t know if the problem is that we have the wrong certificate (unlikely) or that they are signing with their old private key.  Is there any way to verify this?  All I have from their request is the RSA key modulus and the exponent.  Should I be able to extract the public key from the certificate we have on file, extract the modulus from that and then compare the values (after base64 encoding it)?

-----Original Message-----
From: Cantor, Scott <cantor.2 at> 
Sent: Wednesday, April 06, 2022 12:37 PM
To: Shib Users <users at>
Cc: Bobby Lawrence <robertl at>
Subject: [EXTERNAL] Re: signature validation failure

On 4/6/22, 12:05 PM, "users on behalf of Bobby Lawrence via users" <users-bounces at on behalf of users at> wrote:

>    For some reason, IdP (v3.4.7) is failing this request….it states 
> the signature is valid but fails to establish the trust for this key.  I do not know why…can anyone help?

It's telling you why, the key isn't the key from the certificate in the metadata.

-- Scott

More information about the users mailing list