Identity Providers

Learn about common problems that you might encounter when using identity providers and learn how to solve them.

I am getting invalid signature errors for my Identity Provider. My certificates look correct in the metadata. What could be wrong?

If an Identity Provider partner is created using metadata and the metadata contains two certificates with use=”signing” specified, the runtime verifies that the messages from the Identity Provider are signed with the first certificate. If you see invalid signature errors, your Identity Provider is probably signing with the second certificate.

To remove the second signing certificate that is not being used by the Identity Provider to sign the messages, update the metadata.

I am trying to import the Oracle Identity Cloud Service metadata. However, it fails because the certificates are not considered as valid. Why is that?

Unlike many SAML 2.0 Identity or Service Providers, Oracle Identity Cloud Service does not use self-signed certificates for signing and encrypting of SAML 2.0 requests and responses. However, the metadata file only includes the signing and encryption certificates. To get the missing root certificate from Oracle Identity Cloud Service, see Obtaining the Root CA Certificate from Oracle Identity Cloud Service.