RSA Federated Identity Manager "failed to validate signature value" error
Originally Published: 2015-05-20
Article Number
Applies To
RSA Product/Service Type: Federated Identity Management Module
RSA Version/Condition: 4.1 EOPS Reached
Platform: Windows
O/S Version: 2008 Server R2 x64
Issue
2015-04-20 10:28:27,125, (DSigHelper.java:548), fim, , , , util.crypto.dsig.verify.error, com.rsa.fim.saml.InvalidCryptoException: SAMLSignedObject.verify() failed to validate signature value
Cause
The failure occurs during the "Reference validation" phase of the signature validation when FIM calculates the hash of the XML signed contents and compares the hash against the one signed by the partner.
The purpose of this check is specifically to ensure that the XML content has not been tampered with. The error means that this check failed.
If this error occurs unexpectedly it may be for the following reasons.
- The payload was corrupted in transfer. Sometimes this occurs when some aspect of the http infrastructure adds, transforms or deletes characters from the XML text in transport. For example, if a proxy module incorrectly modifies part of the XML as part of a regular expression rule, or if the XML content passed in a querystring is URL encoded or decoded when it should not be. This is quite rare, but it can occur.
- Incorrect application of XML transforms. This is the most common failure. It is where of the SAML vendors is incorrectly encoding the XML in a manner that changes the hash, or they are transforming part of the XML after the signature has been calculated.
- Incorrect application of character encoding. Sometimes there is an error in the way different extended characters are encoded and decoded and this may cause the digest to be calculated incorrectly. This is suspected if the reference validation errors only occur for assertions with specific characters in them.
Resolution
Workaround
- Possible ways to troubleshoot this is to change the SAML Binding from one method to another. For example, if you are using redirect binding that uses a querystring, and suspect the querystring may be damaged, the issue might not occur with POST binding that uses form data.
- The possibility of errors in XML transformation increases with the complexity of the XML. For testing, you should simplify the assertion as much as possible. Do not attempt to pass attribute values. Sign only the response, do not attempt to sign both the assertion in the response and the response itself. For testing ensure that the XML elements do not use any non-standard or extended character sets.
Related Articles
How to validate an installation or restored database in RSA Identity Governance & Lifecycle Number of Views Unification fails with error "Could not validate identity model" in RSA Identity Governance & Lifecycle 7.0.2 Number of Views Federated Directory - RSA Ready Implementation Guide Number of Views Validate connection for Oracle Scanning - ORA - 12541 error Number of Views Federated Directory - SAML Relying Party Configuration RSA Ready Implementation Guide Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
