PingFederate SLO - Status Message: Invalid signature

Question

After I invoke single-log-out (SLO), by calling 'GET' on https://[PingFederate Server Instance]:[Port]/sp/startSLO.ping, my PingFederate server begins making requests to my SP logout services. [I know this because I can see it happening in Fiddler.]

But when one my SPs invokes “https://<PingFederate DNS>:XXXX” + request.getParameter(“resume”); (per @Scott T.'s answer here), I get an error message:

Error - Single Logout Nonsuccess Response status: urn:oasis:names:tc:SAML:2.0:status:Requester Status Message: Invalid signature Your Single Logout request did not complete successfully. To logout out of your Identity Provider and each Service Provider, close all your browser windows. Partner: XXXX:IDP Target Resource: http://<domain>/<default SLO endpoint>

My Questions:

• What is this error message referring to?
• How can I resolve this error condition?

Answer 1

This error is likely due to a mismatch in configuration between IdP and SP. The signing keys/certificate for SAML messages used at one end, must match the verification certificate at the other end. Check your Credentials configuration on your connection for both IdP and SP. See this section in the PingFederate Administration Guide for some details.