When your signature verification certificate used to sign the ADFS SAML response does not match what is in the SAML Administration module of your website, you will receive an error, "Login Failed – Cannot validate SAML token." You can fix this error by updating your Signature Verification Certificate in the SAML Administration module of your website using the following steps. If you need any assistance performing these steps, please contact Support.
Instructions
- Sign in to your website solution if you have not already
- Expand the Modules menu, click the Site Tools tab, and select the Saml Administration option
Note: Access to the SAML Administration section requires System Administrator permissions. - Uncheck the Signature Signing and Verification checkbox
- Delete the certificate inside the Signature Verification Certificate box so that the field is empty
- Scroll back up and click the Save Changes button
- In a new tab, navigate to https://[your website domain]/common/admin/rebuildcache.aspx to rebuild your website cache; you should see a blank page
- Go back to the SAML Administration module tab and check the Signature Signing and Verification checkbox
- Click the Save Changes button
- Sign in to the website using ADFS
- The new certificate has now automatically populated into the database
Note: The new certificate will not appear in the Signature Signing and Verification field until after an app pool recycles your website (which occurs every night). You can check back after this to see the new certificate populated in this field.
Article Glossary
The terms located in this section are listed alphabetically.
- ADFS: Active Directory Federation Service
- App: Application
- SAML: Security Assertion Markup Language
Feedback About the Article
Let us know what was helpful or not helpful about the article below.0 comments
Please sign in to leave a comment.