Possible cause of "Invalid query param signature error"?

Hi.

I’m struggling to figure out what the cause of “Invalid requester” when being directed to my Realm Client SAMLRequest end point. My browser will show a Keycloak page with “Invalid requester” and the Keycloak logs will show this:

19:38:43,405 ERROR [org.keycloak.protocol.saml.SamlService] (default task-6) request validation failed: org.keycloak.common.VerificationException: org.keycloak.common.VerificationException: Invalid query param signature
19:38:43,405 WARN  [org.keycloak.events] (default task-6) type=LOGIN_ERROR, realmId=CSDPAC, clientId=null, userId=null, ipAddress=172.23.0.1, error=invalid_signature

Does anybody have a pointer on what the validation error could be? The Mellon redirected browser URL looks like this:

http://proxy.test.demo/auth/realms/CSDPAC/protocol/saml?SAMLRequest=hZJfa8IwF...%3D&RelayState=http%3A%2F%2Fproxy.test.demo%2Fcamunda&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=E6B7R...D%3D

My Realm Client signature algorithm is RSA_SHA256 (the default) and I believe that’s what’s specified in the redirect URL.

Thanks in advance.

Keycloak seems to be unhappy with the Mellon SAML Signature Request Key. It is able to located a valid public key for validation, but then when it tried to validate the Signature using the identified SigAlg (https://www.w3.org/2001/04/) it failed with “Invalid query param signature”:

Do you have any tips? Does this exception means that the Mellon “Signature” parameter in the redirect URL can’t be validated by the public key imported/retrieved, or that Mellon isn’t generating a compatible Signature (or original key)?

Hi,

Have you ever figured out what’s causing the issue? I ran into this exact same issue when signing my request.

Thanks,
cv37