Authentication failed: SAML login failed: ['invalid_response'] (Signature validation failed. SAML Response rejected)

I’m trying to setup third party login on our Ironwood installation of Open edX with our ADFS system.

On the LMS, after I click the sign in button and select our school, I am taken to our ADFS login page. I authenticate to the ADFS system and am returned to our Open edX platform with an error at the top of the page reading:

An error occurred when signing you in…

Error Details:
Authentication failed: SAML login failed: [‘invalid_response’] (Signature validation failed. SAML Response rejected)

In the LMS system logs I can see the SAML request and response. After reading the error message, I used to validate the response. SAMLTool indicated that it was a valid response.

Any ideas where I could go next or why Open edX would feel that this is an invalid response?

Hi Twlichty,

Please read following posts, it may help you.!msg/openedx-ops/d-rmACND180/ZuLbMh9SIAAJ


Thanks @deep06. I had read those and nothing changed.

I was able to integrate the OneLogin test SAML connector on my installation of Open edX without any issues. I’m thinking this may be an issue with the ADFS setup.

Hi @twlichty, I ran into a problem with the same error message a while back. What I found was, roughly, that the IdP’s metadata included multiple different certificates. You could see in the metadata file one was for “encryption” and one was for “signing”, and I think there may have been a couple more. The EdX process that pulls in the cert was pulling the wrong one. It was pulling encryption when we needed signing.
The fix I did was I unchecked the “Enable automatic metadata refresh” box and manually populated their cert data, which fixed the issue.

FYI, we ended up not doing the integration. So I can’t speak to the long-term maintenance issue this creates. I think you’d have to find out what schedule they update their certs, and manually make the change on the Open EdX side at the same time. or find a way to fix the cert that gets automatically pulled in :slight_smile:

Let me know how it goes!