This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
FAQ
Troubleshooting
Articles about how to solve the most common problems
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
New Article

Troubleshooting Guide for SSO Login Error: “SAML Message was Signed by Invalid Signature”

jigarjethwani4
Dynatrace Participant
Dynatrace Participant

on ‎11 Nov 2025 12:13 AM - edited on ‎26 Nov 2025 02:48 PM by Community Team

Summary

This article refers to the Dynatrace Account Management platform and addresses issues related to SSO login failures caused by invalid SAML signatures. It provides detailed steps to resolve login issues when the SAML certificate has expired or is mismatched between the Identity Provider (SSO) and Dynatrace.
In this example, the Identity Provider is Azure Active Directory (Azure AD).

Problem

Users are unable to log in using SSO. The error message displayed is:

400
Request denied!
SAML Message was signed by invalid Signature.
Please check certificates appended to SAML Metadata and your SAML Signing settings.

Root Cause:

  • The Azure AD SAML signing certificate expired and was renewed on the Azure side.
  • Dynatrace SAML configuration was not updated with the new certificate, causing authentication failures.

Troubleshooting steps

  • Confirm the error message displayed on the Dynatrace WebUI when attempting to log in using SSO.
  • Check Azure AD configuration:
    • Navigate to the Azure Entra ID, and then to the SAML Enterprise Application you configured for Dynatrace. Then please open "Manage" -> "Single Sign-On" and choose "Edit" within the "SAML Certificates" section.
    • Verify if the certificate is expired or recently renewed.
    • If expired or renewed, download the new certificate in XML format and keep it ready for upload in Dynatrace Account Management.
  • Log in to Dynatrace Account Management using your Fallback User Account credentials:
    https://myaccount.dynatrace.com/accounts
    If you do not have a fallback user account or cannot recall the credentials, skip to Step 8.
  • In Account Management, navigate to:
    Identity & Access Management → SAML Configuration.
  • Locate the configuration for the affected domain, click … → Edit configuration.
    In Step 2: SAML metadata, scroll to Identity provider metadata and click Choose File to upload the new XML certificate.
  • Click Next, complete MFA authentication, and wait for the Success message in the final step (Activation).
  • Test by asking the affected user to log in.
    • If login still fails, contact Dynatrace Support.
  • If no fallback user exists or unknown, contact Dynatrace Support to temporarily bypass SSO and gain access.

Resolution

Once the above steps are performed, the affected users can log in successfully using SSO. The process will renew the certificate configured on Dynatrace and sync Azure AD with Dynatrace. 

What's next

If this article did not help, please:

Version history
Last update:
‎26 Nov 2025 02:48 PM
Updated by:
Community Team