ForgeRock Identity Platform
Does not apply to Identity Cloud

Signature algorithm is not supported error when verifying a signed SAML assertion in AM 5.x or 6.x

Last updated Apr 13, 2021

The purpose of this article is to provide assistance if you receive a "com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported" error when attempting to verify a signed SAML assertion in AM if you are using the HTTP-Redirect binding.

2 readers recommend this article


The following error is shown in the Federation debug log when verifying a signed SAML assertion:

ERROR: IDPSSOFederate.doSSOFederate: authn request verification failed. com.sun.identity.saml2.common.SAML2Exception: Signature algorithm is not supported.      at com.sun.identity.saml2.common.QuerySignatureUtil.verify(       at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(       at com.sun.identity.saml2.profile.IDPSSOFederate.doSSOFederate(       at jsp_servlet._saml2._jsp.__idpssofederate._jspService(

Recent Changes

Added a new XML signature for requests.

Introduced HTTP-Redirect binding for AuthnRequest or other non-web SSO requests such as LogoutRequest.


The XML signature you used for requests (when the binding used is HTTP-Redirect) is not supported.

The list of supported signature algorithms is shown in the documentation: Reference › Algorithms


ForgeRock strongly recommends using *SHA-256 variants (rsa-sha256 or ecdsa-sha256).


This issue can be resolved by using a supported XML signature (QuerySignatureUtil) for your requests. Requests are only signed by QuerySignatureUtil when the binding used is HTTP-Redirect. 

HTTP-POST or HTTP-Artifact bindings

If you use HTTP-POST or HTTP-Artifact bindings for responses and want to control the response signing mechanism, the Global level setting should be sufficient; HTTP-Redirect binding in the web SSO profile can only be used for transferring requests, not responses. You can configure the signature algorithms for these responses in the console as follows:

  1. Navigate to: Configure > Global Services > Common Federation Configuration > Algorithms > XML signature algorithm and select the required signature.
  2. Save your changes.
  3. Restart the web application container in which AM runs to apply these changes. ​

See Also

FAQ: SAML certificate management in AM 5.x and 6.x

SAML Federation in AM

SAML v2.0 Guide

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.