2437217 - SAML 2.0 : Signature validation with the configured primary certificate failed

Symptom

Performing SAML 2.0 authentication fails and one of the following error messages is raised:

"Signature validation with the configured primary certificate failed..."
"CX_SEC_SXML_ERROR: SSFW_KRN_VERIFY failed with: Signature verification failed (for signer) or Envelope failed (for recipient)"
"SSFW_KRN_VERIFY failed with: Signer is not known or not trusted *OR* Recipient not found (in address book/PSE)"
Caused by: CX_SAML20_CORE: Error in ST program SAML2_ASSERTION when importing XML data. Long text: Error in ST program SAML2_ASSERTION when importing XML data.
Caused by: CX_SEC_SXML_ERROR:
SAML20 at CL_SEC_SXML_DSIGNATURE->VERIFY_XML(Line 315)

The error appears in the SAML 2.0 traces which can be collected as per KBA 2960670.

Environment

SAP enhancement package 2 for SAP NetWeaver 7.0
SAP NetWeaver 7.3
SAP enhancement package 1 for SAP NetWeaver 7.3
SAP NetWeaver 7.4
SAP NetWeaver 7.5 and higher

Product

SAP NetWeaver 7.3 ; SAP NetWeaver 7.4 ; SAP NetWeaver 7.5 ; SAP NetWeaver 7.5 for SAP S/4HANA 1511 ; SAP NetWeaver 7.51 for SAP S/4HANA 1610 ; SAP NetWeaver 7.52 for SAP S/4HANA 1709 ; SAP enhancement package 2 for SAP NetWeaver 7.0 ; SAP enhancement package 3 for SAP NetWeaver 7.0

Keywords

SAML2.0, CX_SEC_SXML_ERROR, SSFW_KRN_VERIFY, Signature verification, Signature validation, SSFW_KRN_VERIFY failed with: Signature verification failed, SAML2_DEBUG, SAML2_ASSERTION, Certificate, SSF, Sign, Return code 027, Invalid Signature , KBA , BC-SEC-LGN-SML , SAML 2.0 for ABAP , LOD-CRM-SEC , Security Topics , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.