Shibboleth opensaml – FatalProfileException – Message was signed, but signature could not be verified

Client asked to update our cert to their adfs. Couldn’t find a good way to troubleshoot this using google so started to examine all the configuration files in /etc/shibboleth.

Led me to federationmetadata.xml.

Found section keydescriptor that looked like a certificate so I added a new section with the new cert.

<KeyDescriptor use="signing">
<KeyInfo xmlns="">

Leave a Reply