Did not decrypt response since it is not signed
If you encounter an error similar to this (in the SSO authentication configuration):
Saml2AuthenticationException{error=[invalid_signature] Did not decrypt response [_1234abc5-ef6g-7hij-klmn-8910op11qr123] since it is not signed}That contains the text: Did not decrypt response since it is not signed, in the log found on the SAML SSO configuration page.
Then this could indicate that the customer IdP is using an unsafe configuration, where encryption is turned on but not signing.
To fix this you should reach out to their IT department and get them to turn on signing for SAML responses so I would like to ask you to try the following:
- In the IdP run the following command Get-AdfsRelyingPartyTrust -Name <Name> (Do replace <Name> with the appropriate name)
- Then you should look for the values
SignedSamlRequestsRequired
SamlResponseSignature
- If SignedSamlRequestsRequired = false or SamlResponseSignature is not MessageAndAssertion then you need to update that using the following command
Get-AdfsRelyingPartyTrust -Name "<Name>" | Set-AdfsRelyingPartyTrust -SignedSamlRequestsRequired $true
Get-AdfsRelyingPartyTrust -Name "<Name>" | Set-AdfsRelyingPartyTrust -SamlResponseSignature MessageAndAssertion
If you do not have access to the command line of the IdP then do go to the settings of your IdP and see if you can find similar settings in the UI.
Please allow for some time to get the IdP changes to sync (it can take up to an hour depending on the IdP set-up).