SSO authentication fails with "Invalid Signature on SAML Response"

Problem

Single Sign-On (SSO) authentication to Terraform Enterprise (TFE) fails with Invalid Signature on SAML Response error.

Prerequisite

This error may only occur in SSO-enabled Terraform instances.

Cause

SAML is configured with an incorrect IdP certificate.

To validate this

• Use the SAML Debugging guide to reproduce the error SAML debugging enabled
• Check the value of <dsig:X509Certificate>...</dsig:X509Certificate> in the output:

• Compare it to TFE configuration by navigating to https://<TFE HOSTNAME>/app/admin/saml → look for Identity Provider Settings section → IDP Certificate:

Solution

Make sure that IdP certificate matches with TFE SAML configuration.

Outcome

Users are able to authenticate to TFE via SSO.

Additional Information

• SAML Debugging 
• SAML Configuration
• If there is no non-SSO account, create one by following How To Access the Terraform Enterprise Rails Console and Create a local TFE Administrator