Hi Colm, thanks for your reply and sorry for the late response.
We are now seeing the root cause of the problem because the client sends us an empty reference ID in the signature block. I can only post parts of the SAML2-Assertion: <saml2:Assertion ID="cc847542-81eb-4720-9068-d9de7d892dcd" IssueInstant="2020-01-22T13:35:44Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Issuer>XXXX</saml2:Issuer> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <*Reference URI=""*> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>yk65BmkjJAF9MTQ927JPMNpoBbQ=</DigestValue> </Reference> </SignedInfo> </KeyValue> </KeyInfo> </Signature> The signature check in the used library (WSS4J + Santario?) of apache CXF will now check the signature of the whole soap message instead of only saml assertion because of the empty URI in tag reference. The digest of the whole soap message will never be the same like the saml2 assertion. So it will never work this way. The reference URI must be the SAML Assertion ID (cc847542-81eb-4720-9068-d9de7d892dcd) to have a correct scope right? Do you have any idea if there is a configuration option, so that the reference resolution will not work this way? Or is this just an invalid signature in scope of a soap message? We have checked the saml assertion standalone - the signature check with other tools is successfull, so the signature itself is correct. The saml assertion in context of a soap message will lead to an error... We are using Apache CXF 3.3.4... Thanks Jens -- Sent from: http://cxf.547215.n5.nabble.com/cxf-user-f547216.html