KB-1938 SAML authentication fails with HTTP 401 code due to invalid signature


Users are unable to login and the following error is printed in the tomcat-stdOut.log file located in the <APPIAN_HOME>/logs directory: 

ERROR com.appiancorp.security.auth.AppianAuthenticationProvider - Error while trying to authenticate the token: com.appiancorp.security.auth.saml.SamlAuthToken@6e1dda2b: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: AuthenticationDetails[ts=<time_stamp>, entryPoint=PORTAL, clientIpAddress=<IP_Address>, clientUserAgent=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.110 Safari/537.36]; Not granted any authorities
org.opensaml.messaging.handler.MessageHandlerException: Signature was either invalid or signing key could not be established as trusted

The following error is displayed on the UI when trying to login: 


This issue occurs when the IdP Metadata provided to Appian is invalid. 


  1.  Involve the IdP team to check if the IdP certificate is valid. Check if the right certificate is used in IdP Metadata. 
  2.  If the above doesn't resolve the issue, follow KB-1461 to generate a new IdP signing certificate.
  3. Ask the IdP to remove the current connection and reestablish it. This will refresh the partnership and allow Appian to connect to the IdP.

Affected Versions

This article applies to all versions of Appian. 

 Last Reviewed: May 2019