無効な SAML 応答の受信: シグネチャの検証に失敗しました。SAML 応答は拒否されました。
プラットフォームについて: Server と Data Center のみ - この記事は、サーバーおよびデータセンター プラットフォームのアトラシアン製品にのみ適用されます。
- We had trouble logging you in. We can't log you in right now. This may be for a variety of reasons, we suggest trying again. If that doesn't work, contact your Confluence administrator for help.
- Confluence Data Center 6.1.x and above
- Using the built-in SAML plugin
- Users cannot login after setting up SAML in Confluence and in the IdP
- After the first failed attempt where you receive the error in the above screenshot, add logging for com.atlassian.plugins.authentication with a level of ALL, then reproduce the issue in your browser.
You should see something similar to this error (your IdP URL will vary) in
ERROR ... Received invalid SAML response: Signature validation failed. SAML Response rejected -- referer: http://example.com/pingfederate/idp/startSSO.ping?PartnerSpId=https://confluence.example.com | url: /plugins/servlet/samlconsumer | traceId: d8d652948ef10fa1 | userName: anonymous com.atlassian.plugins.authentication.impl.web.saml.provider.InvalidSamlResponse: Received invalid SAML response: Signature validation failed. SAML Response rejected
There are two possible causes:
Mismatch with the X509 certificate used for signing (the certificate configured in Confluence doesn't match the one used by the IdP).
IdP's default is to sign the entire response. The SAML module that Confluence is using is expecting only the assertion portion of the SAML response to be signed.
For cause #1:
Check that the X509 certificate configured in Confluence is the same as the one the IdP uses, which you can retrieve from the SAML response or directly from the IdP. If they don't match, modify the SAML configuration in Confluence with the correct certificate.
For cause #2:
In federation systems, the IdP has the ability to sign the entire response or just the assertion portion of the response (see screenshot below). Configure the IdP to sign only the assertion portion of the SAML response.
Example from PingFederate: