How To Fix SAML2061 - Signature of message '&1' from issuer '&2' is invalid

The SAP error message SAML2061 indicates that there is an issue with the signature of a SAML (Security Assertion Markup Language) message. Specifically, it states that the signature of the message is invalid, which can prevent successful authentication or authorization processes in systems that rely on SAML for Single Sign-On (SSO) or federated identity management.
Causes of SAML2061


Invalid Signature: The signature of the SAML assertion may not match the expected signature. This can happen if the assertion was tampered with or if there is a mismatch in the signing keys.


Certificate Issues: The certificate used to sign the SAML assertion may not be trusted by the receiving system. This could be due to:

The certificate not being installed in the trust store.
The certificate being expired or revoked.
A mismatch between the signing certificate and the one configured in the SAP system.



Configuration Errors: There may be misconfigurations in the SAML settings, such as:

Incorrect issuer URL.
Wrong endpoint URLs.
Mismatched signing algorithms.



Clock Skew: If the system clocks of the identity provider (IdP) and service provider (SP) are not synchronized, it can lead to issues with the validity period of the SAML assertion.


Encoding Issues: The SAML message may have been altered during transmission, leading to encoding issues that affect the signature verification.


Solutions to SAML2061


Verify the Signature: Check the signature of the SAML assertion to ensure it is valid. You can use tools or libraries that support SAML to validate the signature against the public key of the issuer.


Check Certificates:

Ensure that the signing certificate is correctly installed in the trust store of the SAP system.
Verify that the certificate is not expired or revoked.
Ensure that the certificate used by the IdP matches the one configured in the SAP system.



Review Configuration:

Double-check the SAML configuration settings in the SAP system, including the issuer URL, endpoint URLs, and signing algorithms.
Ensure that the IdP and SP configurations are consistent.



Synchronize Clocks: Ensure that the system clocks of both the IdP and SP are synchronized. This can often be done using NTP (Network Time Protocol).


Inspect the SAML Message: Use tools like SAML Tracer (a browser extension) to capture and inspect the SAML messages being exchanged. Look for any anomalies or encoding issues.


Consult Logs: Check the logs of both the SAP system and the IdP for any additional error messages or warnings that could provide more context about the issue.


Related Information

SAML Assertions: Understand the structure of SAML assertions, including how they are signed and the role of certificates.
SAP SSO Configuration: Familiarize yourself with the configuration steps for setting up SSO in SAP, including the necessary settings for SAML.
Security Best Practices: Follow best practices for managing certificates and securing SAML communications, such as using strong encryption and regularly updating certificates.

By addressing the potential causes and following the suggested solutions, you should be able to resolve the SAML2061 error and ensure successful SAML authentication in your SAP environment.