SingleStore DB

Encryption or Signing Errors

You may encounter errors if there are any misconfigured or nonexistent keys when a SAML response is processed, especially if it contains encrypted elements. These errors include:

  • Digital signature does not validate with the supplied key

  • Unable to decrypt EncryptedKey element

  • Unable to decrypt EncryptedData element

Digital signature does not validate with the supplied key

If a SAML response is digitally signed using an identity provider’s private key, it must be validated using the paired public key. This public key’s file path is specified in the memsql.cnf file for the saml_x509_certificate variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.

Unable to decrypt EncryptedKey element

Since asymmetric encryption is often inefficient for encrypting large amounts of data, it is standard for a SAML identity provider to encrypt SAML responses with a new symmetric key that it generates for each response. The SAML identity provider then encrypts the symmetric key using a supplied public key, and adds the result to the SAML response as an EncryptedKey element.

If a EncryptedKey element is encrypted using by the identity provider using a supplied public key, it must be decrypted using the paired private key. This public key’s file path is specified in the memsql.cnf file for the saml_private_decryption_key variable. If the SAML response cannot be read using the specified public key, then either the path points to the wrong public key file or the SAML response was signed with the wrong private key.