Loading

'The signature in the response is not valid' error in SAML Validator

Fecha de publicación: Jun 3, 2026
Descripción

When troubleshooting Single Sign-On (SSO) login issues in Salesforce, administrators use the SAML Assertion Validator tool (accessible via Setup > Single Sign-On Settings > SAML Assertion Validator) to validate SAML responses from their Identity Provider (IdP).
SAML (Security Assertion Markup Language) is the industry-standard protocol used for Single Sign-On (SSO) authentication between Salesforce and external identity providers such as Okta, Microsoft Azure AD, and PingFederate. When a user logs in via SSO, the IdP generates a SAML response — a digitally signed XML document — and sends it to Salesforce.
If a SAML response that was successfully used to log into Salesforce is incorrectly decoded (for example, it contains extra whitespace or line breaks from copy-pasting) before being passed to the SAML Validator, the validator will report:
"The signature in the response is not valid."
This error does not necessarily mean the original SSO login had an invalid signature — it means the SAML response was improperly formatted before being submitted to the validator.

Solución

To resolve this error, capture the SAML response correctly using one of the following tools and validate it in the Salesforce SAML Validator. The SAML Validator accepts both plain text and base64-encoded SAML responses.

How to Capture a SAML Response Using SAML Tracer (Firefox)

SAML Tracer is a browser extension for Mozilla Firefox that captures SAML transactions.

  1. Open the SAML Tracer tool in Firefox (install from the Firefox Add-ons store if not already installed).
  2. Initiate the SSO login to Salesforce in Firefox.
  3. In SAML Tracer, select the POST request tagged with the orange "SAML" label — this request contains the SAML Response.
  4. Go to the Parameters tab and copy the base64-encoded SAML Response value.
  5. Paste the value directly into the Salesforce SAML Validator.

How to Capture a SAML Response Using Axiom IdP

Axiom is a web-based SAML testing tool available at http://axiomsso.herokuapp.com/Home.action that acts as a test Identity Provider (IdP).

  1. Navigate to
  2. Fill in the SSO settings from Salesforce Setup > Security Controls > Single Sign-On Settings.
  3. Click to request a SAML Response from Axiom.
  4. Copy the text from either the "Plain Text SAML Response" field or the "Base64 Encoded SAML Response" field.
  5. Paste the copied value into the Salesforce SAML Validator.

How to Capture a SAML Response Using Fiddler

Fiddler is a web traffic inspection tool that can capture HTTP/HTTPS requests including SSO flows.

  1. Start capturing traces in Fiddler.
  2. Initiate the SSO login to Salesforce.
  3. Look for an HTTPS POST request to your MyDomain URL (format: [MyDomain].my.salesforce.com) with the path /?so=[OrgId] (for example, /?so=00D00000000xxxx).
  4. Click the request and go to the WebForms tab. The body shows the encoded SAML Response.
  5. Right-click the SAML Response value and select Send to TextWizard.
  6. In TextWizard, choose Transform from Base64 to decode the response.
  7. Copy the decoded plain text SAML response and paste it into the Salesforce SAML Validator.

When correctly validated, the SAML Validator will confirm: "The signature in the response is valid. OK."

Número del artículo de conocimiento

000388106

 
Cargando
Salesforce Help | Article