RSA Federated Identity Manager "failed to validate signature value" error
Originally Published: 2015-05-20
Article Number
Applies To
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.1 EOPS Reached
Platform: Windows
O/S Version: 2008 Server R2 x64
Issue
2015-04-20 10:28:27,125, (DSigHelper.java:548), fim, , , , util.crypto.dsig.verify.error, com.rsa.fim.saml.InvalidCryptoException: SAMLSignedObject.verify() failed to validate signature value
Cause
The failure occurs during the "Reference validation" phase of the signature validation when FIM calculates the hash of the XML signed contents and compares the hash against the one signed by the partner.
The purpose of this check is specifically to ensure that the XML content has not been tampered with. The error means that this check failed.
If this error occurs unexpectedly it may be for the following reasons.
- The payload was corrupted in transfer. Sometimes this occurs when some aspect of the http infrastructure adds, transforms or deletes characters from the XML text in transport. For example, if a proxy module incorrectly modifies part of the XML as part of a regular expression rule, or if the XML content passed in a querystring is URL encoded or decoded when it should not be. This is quite rare, but it can occur.
- Incorrect application of XML transforms. This is the most common failure. It is where of the SAML vendors is incorrectly encoding the XML in a manner that changes the hash, or they are transforming part of the XML after the signature has been calculated.
- Incorrect application of character encoding. Sometimes there is an error in the way different extended characters are encoded and decoded and this may cause the digest to be calculated incorrectly. This is suspected if the reference validation errors only occur for assertions with specific characters in them.
Resolution
Workaround
- Possible ways to troubleshoot this is to change the SAML Binding from one method to another. For example, if you are using redirect binding that uses a querystring, and suspect the querystring may be damaged, the issue might not occur with POST binding that uses form data.
- The possibility of errors in XML transformation increases with the complexity of the XML. For testing, you should simplify the assertion as much as possible. Do not attempt to pass attribute values. Sign only the response, do not attempt to sign both the assertion in the response and the response itself. For testing ensure that the XML elements do not use any non-standard or extended character sets.
Related Articles
How to validate an installation or restored database in RSA Identity Governance & Lifecycle Number of Views Federated Directory - RSA Ready Implementation Guide Number of Views Support for CLOB and BLOB variables in Workpoint SQL Nodes added in version 7.0.1 with the new Workflow Editor in RSA Iden… Number of Views Federated Directory - SAML IDR SSO Configuration RSA Ready Implementation Guide Number of Views Federated Directory - SAML Relying Party Configuration RSA Ready Implementation Guide Number of Views
Trending Articles
Passwordless Authentication in Windows MFA Agent for Active Directory – Quick Setup Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Authentication Manager Upgrade Process RSA Authentication Manager 8.7 SP2 Setup and Configuration Guide An example of SSO using SAML and ADFS with RSA Identity Management and Governance 6.9.x
Don't see what you're looking for?
