Introduction

When using Single Sign-On (SSO) with Azure/Entra ID, you may encounter the error:

"error": "SAML response was not properly signed. Make sure to sign at least the SAML response or the assertion(s)."

This typically happens after renewing the SAML signing certificate in Entra ID. Although certificate expiry itself does not break SSO, manually renewing it can cause issues because Zivver caches metadata for efficiency. The renewed certificate is not immediately recognized, leading to failed logins for all users.

Cause

• Caching behavior: Zivver caches SSO metadata for 24 hours to avoid fetching it at every login. When a certificate is renewed, the cache still points to the old certificate, causing SSO failures until it expires.
• Certificate expiry: SSO does not break when a certificate expires because Zivver—like many other service providers—ignores the certificate’s expiration date. This approach prioritizes reliability and helps prevent unexpected service disruptions.

Resolution

1. Log in to the Azure admin center.
2. Search for Enterprise applications and select it.
3. In the Enterprise applications page, search for Zivver and select the SSO application.
4. Under Manage, select Single sign-on.
5. In the SAML Certificates card, click the Edit button.
6. Create or import a new certificate.
7. Make the new certificate Active.
8. Open the XML metadata from the Metadata URL in a new tab.
9. Save the XML metadata as an .xml file on your computer.
10. Open the .xml file in a plain text editor (e.g., Notepad, VSCode, or Notepad++).
11. Copy the entire content of the XML file to your clipboard.
12. Log in to the Zivver WebApp.
13. Click Organization Settings.
14. Expand User administration.
15. Click Single Sign-on.
16. Select Manually.
17. Paste the XML metadata into the Identity Provider’s .XML field.
18. Click Save.
19. Wait 24 hours (until cached metadata expires).
20. Switch the method back to Automatically.
21. Enter the Metadata URL again in the URL field.
22. Click Save.