Problem: Keycloak - The SAML response contained a invalid signature: Failed to verify signature

Knowledge Base Community
, ,
1

Problem:

You cannot login via UMC, you get the following error message.
The SAML response contained a invalid signature: Failed to verify signature

"Could not fulfill the request. Server error message: The SAML response contained a invalid signature: Failed to verify signature"

The SAML certificates between Keycloak (Identity Provider) and UCS (Service Provider) do not match. This commonly occurs after:

  • Keycloak updates
  • Certificate renewals
  • Changes to the Keycloak configuration

Solution:

Step 1: Verify the Problem

Compare both certificates to confirm the cause help.univention.com:

# Retrieve certificate from Keycloak
curl https://ucs-sso-ng.YOUR-DOMAIN.com/realms/ucs/protocol/saml/descriptor
# Check locally stored certificate
cat /usr/share/univention-management-console/saml/idp/ucs-sso-ng.YOUR-DOMAIN.com.xml

Note: Replace YOUR-DOMAIN.com with your actual domain.

The certificates should be identical. If they differ, proceed to Step 2.

Step 2: Check Current Configuration

ucr get umc/saml/idp-server

The output should look something like:

https://ucs-sso-ng.YOUR-DOMAIN.com/realms/ucs/protocol/saml/descriptor

Step 3: Re-synchronize Certificate

Even if the UCR variable is already set correctly, it needs to be reset to reload the certificate help.univention.com:

ucr set umc/saml/idp-server='https://ucs-sso-ng.YOUR-DOMAIN.com/realms/ucs/protocol/saml/descriptor'

What happens:

  • The file /usr/share/univention-management-console/saml/idp/ucs-sso-ng.YOUR-DOMAIN.com.xml is recreated
  • The current certificate is downloaded from Keycloak
  • The SAML configuration is updated

You should see output like this:

Setting umc/saml/idp-server
Module: setup_saml_sp
Try to download idp metadata (1/60)
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3444 100 3444 0 0 273k 0 --:--:-- --:--:-- --:--:-- 280k
Multifile: /etc/pam.d/univention-management-console
File: /etc/ldap/sasl2/slapd.conf

Step 4: Test Login

Try logging in via UMC again. The error should be resolved.

Note for Environments Without Keycloak

If you’re using SimpleSAMLphp instead of Keycloak, the solution is different.