Print this page

ADFS SP Initiated SignatureVerificationFailedException: SAML Message has wrong signature

Knowledge Article Number 000187898
Description Some customers may notice that even with the correct SP Initiated SSO setup configured at the ADFS Server/proxy that iOS mobile devices still are not able to login/connect to salesforce. You can confirm your settings via logging in with an Android device. If Android devices login and connect successfully, the issue could simply be with the Salesforce Single Sign-on BINDING TYPE setting. (see below)
Step #1: alter the Binding setting in SSO settings
- “Service Provider Initiated Request Binding” setting in Salesforce SSO settings from “HTTP POST” to “HTTP Redirect”
- Test the login connection again.
If this continues to fail, see below for further steps>
Step #2: verify MS ADFS error logging
- Possible error seen at device level or high level Event log: The Federation Service encountered an error while processing the SAML authentication request.
- Additional Details (event Logs)
The Event log on the ADFS server showed the following event under (typically located at):  Applications and Services Logs/AD FS 2.0/Admin
Event ID: 303
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://<mydomain>'.
   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)
Please reference an additional tech forum at: 
This forum suggests the issue is caused by a patch problem noted in KB 2843638 ( . This KB article will suggest removing a specific MS patch from the ADFS host and the proxy server but this most likely will NOT resolve this issue.

** IMPORTANT ** MS has released a hotfix that has been reported (by salesforce customers) to resolve this issue. Apply this hotfix to both the ADFS Host and Proxy Server. “Update is available to fix several issues AFTER you install security update 2843638 on an AD FS server”

promote demote