Product/System Name | Menlo
| Version | 1.0 |
| Date | 30th Dec 2024 |
Author | Seng Weil Yang |
Confidentiality | [Public and Internal Use] |
Version | Effective Date | Prepared/ Amend By | Summary of Changes | Approved By |
1.0 | 30/12/2024 | WY |
| Zulfadli |
| 1.1 |
|
|
|
|
|
|
|
|
|
|
1. Introduction
Users see a Signature validation failed error when are trying to sign in to ADFS for web browsing. This error may be encountered by all users in an organization or by a sub-set of users.
NOTE: This article discusses ADFS as an example, but this error can also be seen when using other SAML providers. Refer to the relevant SAML guides to review how to export the new certificate.
2. Before You Begin
2.1. Preparation Checklist
- Ensure that you have the SAML Debugger Extension Installed (For Chrome Browser Only and it is Optional)
- Ensure that the customer can export out the Base64 Token Certificate that has been configured for the IDP SSO / Access to the AD Server Directly
- Ensure that you have access to the customer Menlo Portal
2.2. Safety and Precautions
The initial troubleshooting is to confirm if the token parsed during the SAML authentication is the same as the token used in the SSO within the Menlo Portal
If confirm the ADFS or other types of AD already using the new certificate generated, then require to upload the new certificate into the Menlo Portal. This might require some change request process, require to check with the customer before proceed further
3. Troubleshooting Process Overview
1) Asking the customer to simulate the issue and check the SAML Response either through SAML Debugger / Manually
2) Check for Certificate Key decoded from the SAML Response (SAML Debugger) or decode to obtain decoded XML to look for X509Certificate
3) Compared the X509 Certificate with the one uploaded to Menlo Portal
4) If different, then require to upload the new Cert into the Menlo Portal
4. Common Issues and Solutions
4.1. Issue Identification Table
Issue Description | Possible Causes | Initial Checks | Suggested Solutions |
| SAML Respond Rejected | X509 Certificate parsed by the user is not correct with the Menlo Portal | Obtained the X509 Cert from the SAML Response to be compared with the Menlo Portal | - Check and compared the Cert between browser and portal - Need to upload the correct Cert to the Menlo Portal |
5. Step-by-Step Troubleshooting Guides
Option 1 : SAML Debugger extension
Note: This works for the Chrome browser only
If the installation of extensions is allowed by your corporate policy, then please download the "SAML Chrome Panel" extension from Chrome Web Store
- Navigate to the site (e.g. www.msn.com) in your browser
- Open Developer tools for the browser you are working with and select the SAML tab (make sure that recording is enabled)
3. Enter the relevant credentials on the Menlo Security and ADFS login pages as before
4. You will encounter the Signature validation failed error, go back to Developer Tools and you will see the request for the SAML authentication
5. On Developer Tools, locate https://safe.menlosecurity.com/safeview-auth-server/saml , you will see the Certificate key decoded from SAML response.
<Certificate key from Menlo Security Admin portal>
Option 2: Manually through the browser response
- Navigate to the site (e.g. www.msn.com) in your browser
- Open Developer Tools for the browser you are working with and select the Network tab (make sure that recording is enabled)
3. Enter the relevant credentials on the Menlo Security and ADFS login pages as before
4. You will encounter the Signature validation failed error, go back to Developer Tools locate saml to select the link
5. Scroll down to the bottom where you can see Form Data and copy the encoded string for SAMLResponse
6. Go to https://www.samltool.com/decode.php and paste in the encoded string
7. Click Decode to obtain the decoded XML
8. In the Deflated XML, look for X509Certificate. Compare the certificate reported here with the one configured in the Menlo Admin UI
<Certificate key decoded from SAML response>
<Certificate key from Menlo Security Admin portal>
Update the certificate on the Menlo Security Admin portal to ensure it matches the ADFS certificate.
Note: The instructions and screenshots shown below are related to ADFS on Windows Server 2016, please follow the equivalent steps for the environment you are using.
Solution to Fix the SAML Response Error
- Go to ADFS Management from Server Manager
- Go to Service -> Certificates
- Right-click on Token-signing certificate and View Certificate
4. Toggle to Details tab, click on Copy to File and choose Base-64 encoded X.509 for the file format and export
5. Use a text editor(e.g. Notepad) to open the export certificate file and copy the content
6. Go to https://admin.menlosecurity.com, Settings | Authentication | Single Sign-On | Edit User SAML Authentication
7. Click on + Add Certificate and paste the certificate you copied
8. Save the changes
9. Open a new browser window and access the original site. Enter your credentials and this site should now be displayed successfully.
6. Advanced Diagnostic Tools and Techniques
SAML Debugger Extension is a good tool to allow support to check on the SAML Response
7. Reporting Unresolved Issues
The SAML Response Rejected Issue should be resolved with this fix
8. Appendix and Additional Resources
8.1. Glossary
SAML (Security Assertion Markup Language)
IDP (Identity Provider)
SSO (Single Sign On)
AD (Active Directory)
ADFS (Active Directory Federation Service)
8.2. Tools and Resources List
SAML Debugger Extension
8.3. Contact Information
Seng Weil Yang