SAML certificate guide
SAML signature validation failed after certificate rotation
SAML signature validation failures often occur when an IdP rotates its signing certificate but the SP still trusts old metadata.
Common symptoms
- The user reaches the SP after IdP login but receives an authentication failed message.
- SP logs say unable to validate SAML Response signature.
- Trusted metadata fingerprint differs from the certificate used to sign the response.
- Metadata refresh has not run or is failing.
Evidence to collect
- Expected signing certificate fingerprint from trusted metadata.
- Actual SAML Response signing certificate fingerprint.
- Metadata refresh timestamp and errors.
- IdP metadata URL and current signing certificate validity.
Common causes
- SP metadata is stale after IdP signing certificate rotation.
- Metadata refresh is failing due to PKIX or network errors.
- SP is pinned to an old signing certificate.
How to fix or triage it
- Refresh SP metadata from the trusted IdP source.
- Resolve certificate path issues preventing metadata retrieval.
- Confirm the SP trusts the current IdP signing certificate.
How AccessTrace AI helps
- Detects SAML signing fingerprint mismatch evidence.
- Flags stale metadata and PKIX refresh failures.
- Creates vendor-facing language explaining what must be updated.
Example evidence
Unable to validate SAML Response signature. Expected IdP signing certificate fingerprint: 3A:7B:9F... Actual certificate fingerprint used to sign SAML Response: 91:C2:18... SP metadata last refreshed on 2026-04-15.
Turn messy access evidence into a report
Paste sanitized SSO, directory, certificate, or access-policy evidence into AccessTrace AI and generate findings, remediation steps, vendor questions, and ticket-ready language.
Start with the free plan