Print this page

ADFS SSO SAML Idp Initiated SSO Failed: Signature Invalid / Remote Access Authorization error

Knowledge Article Number 000176901
Description Users via Mobile clients utilizing OAUTH 2.0 SSO SAML authentication via MyDomains redirect to a customers' IDP might see Invalid Signature or Remote Access errors. 

There are many configuration aspects to be checked. Customers should confirm the basics first:
1) HTTP POST & HTTP Redirect binding methods supported 
2) RelayState parameters echoed back in SAMLresponse correctly
3) Confirm the authentication via browser/s  - examine Trace / Validation (more below on this)
4) Confirm Certificates
5) SHA1 hash for ADFS is recommended

Customers may also post their specific issues at:

Some issues may be related to a signature problem. If Salesforce does not complain about the provided KeyInfo, that usually would mean that the certificate supplied was valid. You can double-check this by regenerating the certificate / private key. NOTE: Via a browser test, it's possible check/verify this in debug mode that the SAMLResponse is not being altered after signature.
A next step might be to validate the SAML response. There are many sites available to do this. i.e. 
There is even a SAML response validation page within under Admin | Security | single Sign-on Settings 
Questions from that might be:
1) What is the certificate supplied in the settings? i.e. CN=ADFS Signing… 
2) Is the response signed / assertion signed?
3) Correct certificate supplied in the keyinfo?
Salesforce Security team recommends SHA1 hash for ADFS. Here is a whitepaper with more details on this:

Other resources to check:

This blog discusses modifications of the web.config and the FormsSignIn.aspx.cs files.
- ADFS ADMINs: Do NOT manually generate the RelayState/Target App or RPID 
- Remember that our SSO support is for FORMS-based login only

<?xml version="1.0"?>
      <add name="Forms" page="FormsSignIn.aspx" />
      <add name="Integrated" page="auth/integrated/" />
      <add name="TlsClient" page="auth/sslclient/" />
      <add name="Basic" page="auth/basic/" />
    <singleSignOn enabled="false" />

using System.Configuration;
using System.Collections.Specialized;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Xml;
IMPORTANT NOTE for iOS devices: 
When configuring ADFSv2 for use with Salesforce, it's recommended that you select the new "HTTP Redirect" option available in the Salesforce Single Sign-On settings under "Service Provider Initiated Request Binding". This will improve interoperability with iOS based devices.

Specific to Mobile Issues:


promote demote