Symptoms
- User sees a 403 error when attempting to log into the Invoca platform via SAML/SSO.
- The error message included with the SAML response read, "Invalid Signature on SAML Response," and the customer's x509 certificate was not included in their SAML response (SSO debugger needed to read error message).
Applies To
- SAML/SSO integration
- Customers who are implementing the Invoca SAML/SSO integration
Resolution
- Open your config settings for your Identity Provider. The customer in this instance uses RSA SecurID.
- Locate the setting that determines whether the Certificate included in the outgoing assertion.
- If that setting is not enabled, enable it.
- Attempt to login again.
Cause
The customer did not have the setting enabled in their Identity Provider that dictated whether their x509 certificate is sent to the Service Provider (Invoca) in their SAML response.
Additional Information
If this solution does not solve the issue, see additional solutions for SAML/SSO 403 errors: