Dealing with SAML token “The signature verification failed” error

If you are working with WIF and SAML tokens, chances are you have seen “The signature verification failed” error. It happened to me and almost drove me crazy!

Signed SAML tokens are very elegant XML documents/nodes. You are not supposed to touch it once it is generated and signed, because even a space added or removed would cause the verification to fail.

In my case it was even more confusing: my code could successfully verify SAML tokens from one STS but always failed for another one. And to make things worse, the failing STS source was the production STS. (It seems that’s always the case J)

Turned out, the problem was a combination of the STS and the way .NET handles XML classes’ InnerXml property:

·         The production STS generated SAML tokens with some newlines (“\n” or 0D-0A in hex)

·         When calling XmlNode’s InnerXml property to get the XML of the token from the XML document, it removes the newlines

It toke a lot of efforts to figure this out but it was pretty easy to fix after you know what went wrong. This is the method I wrote to get the XML of the token from the whole XML doc:

        private string GetTokenXMLString(string originalXmlString, XmlNode assertion)


            string assertionHeader = assertion.Name;

            string beginPoint = @”<“ + assertionHeader;

            string endPoint = @”</” + assertionHeader + @”>”;

            int beginIndex = originalXmlString.IndexOf(beginPoint, StringComparison.InvariantCultureIgnoreCase);

            int endIndex = originalXmlString.IndexOf(endPoint, beginIndex, StringComparison.InvariantCultureIgnoreCase);


            return originalXmlString.Substring(beginIndex, endIndex – beginIndex + endPoint.Length);



Before you call this method, you need to verify that there is an assertion Node within the XML document and pass it as assertion parameter. The originalXmlString parameter is the original XML string of the XML document, and you don’t want to get it by using Inner or OuterXml properties. Of cause you need to trap errors and add your log/trace logic to this routine.

Good luck and enjoy SAML!

Zewei Song, Ph.D.

MCPD, MCTS: .NET 3.5, MOSS AppDev, Configuration

Enterprise Services, Microsoft Corporation


Comments (2)

  1. Bjørn says:

    Thank you, very very very much! I've been looking in all directions and it turned out to be XML formatting for me too. This is from an MVC action, and the trick was to add SaveOptions.DisableFormatting in the ToString() of the XElement.

    XElement metadata = config.GetFederationMetadata(

       Url.Action("Issue", "Sts", null, Request.Url.Scheme),

       Url.Action("WsTrust", "Sts", null, Request.Url.Scheme));

    return Content(metadata.ToString(SaveOptions.DisableFormatting), "text/xml");

  2. Bogdan says:

    Thank you Dr. Z!