Issue
When setting up SAML SSO between Mattermost and Microsoft Entra ID (formerly Azure AD), login attempts may fail with the following error:
SamlInterfaceImpl.DoLogin: We received an invalid signature in the response from the Identity Provider. Please contact your System Administrator.
This error indicates that Mattermost could not validate the signature in the SAML response from Entra ID.
Root Cause
This problem occurs when Mattermost expects both the SAML response and assertion to be signed, but the Identity Provider (IdP) does not apply the necessary cryptographic configuration. Specifically, missing or mismatched signature settings can lead to failed verification.
Solution
To ensure compatibility and signature validation, configure both Entra ID and Mattermost with aligned settings.
In Entra ID (Azure Portal):
- Navigate to Enterprise Applications > your application > Single sign-on.
- In the SAML Signing Certificate section, click Edit.
- Enable the following settings:
- Sign SAML response and assertion
- Signing Algorithm: SHA-256
Entra ID supports multiple algorithms—make sure the signing algorithm is explicitly set to SHA-256 for compatibility with Mattermost.
In Mattermost System Console:
Navigate to System Console > Authentication > SAML 2.0 and configure the following option:
- Verify Signature – Enabled
- Signature Algorithm - RSAwithSHA256
Comments
Article is closed for comments.