000013989 - FIM 'The response signature cannot be verified' message is not very descriptive.

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000013989
Applies ToFederated Identity Management Module (FIM) 4.1
IssueFIM "The response signature cannot be verified" message is not very descriptive.

The FIM server throws the following exception:

com.rsa.fim.profile.sso.SSOProfileException: Exception encountered at the top-level of the profile bean: The response signature cannot be verified: The message is signed, but the signature cannot be verified

CauseThere is not much detail on the possible reason for signature validation failures.  If there is anything wrong with the trusted certificate or its chain the same exception is thrown.

This has been resolved in hotfix 4.1 HF_30 for RSA Federated Identify Manager (FIM) 4.1  Contact RSA Customer Support and request this hotfix or the latest cumulative hotfix for your platform.

This hotfix introduced the following additional detail in the system event log if there is a certificate validation failure:

"ApacheXMLSecurityImpl does not support this XMLSignature format"
"Cannot find trustlist keystore or cert alias for signature verification"
"Cannot retrieve trusted certficate from keystore for signature verification"
"The public key present in the message did not match the public key present in the trusted keystore."
"Invalid signature value for the signing SAML message"

Legacy Article IDa52320