Ensure users can successfully authenticate to Workvivo using SAML-based Single Sign-On (SSO) by confirming that the Base64-encoded X.509 signing certificate configured in both the Identity Provider (IdP) and Workvivo is valid and has not expired.
Error Message
If a user sees the message:
“Signature validation failed. SAML Response rejected.”
This usually indicates an issue with the SAML signing certificate, rather than a user access, permission, or assignment issue.
In most cases, this error occurs because the X.509 certificate has expired or does not match the certificate currently configured in Workvivo.
Using SAML Authentication with Workvivo
Where the issue occurs
This error is generated during the SAML authentication flow, after the Identity Provider sends the SAML response but before Workvivo can validate the signature.
Because the SAML response cannot be validated, Workvivo rejects the login attempt.
Common Causes
In most cases, the affected organisation has:
An expired SAML X.509 signing certificate
A certificate in the Identity Provider that does not match the one configured in Workvivo
Updated or rotated the certificate in the IdP but did not update Workvivo
An incorrectly formatted or incomplete X.509 certificate
How to Investigate the Certificate Configuration
How to access the certificate
The SAML signing certificate cannot be viewed directly in the Workvivo Admin Panel.
To retrieve the currently configured certificate, please contact Workvivo Support, who can provide the active SAML certificate for your organisation.
What to confirm
Once the certificate has been provided by Workvivo Support, confirm that it:
Matches the certificate configured in your Identity Provider (IdP)
Has not expired
Is the correct certificate used for signing (not encryption)
Updating the SAML Certificate in Workvivo
How to update
The customer’s IT Administrator should complete the following steps:
Locate the SAML X.509 Certificate field in your authentication settings.
Ensure the new certificate is in the correct X.509 format and Base64-encoded.
(Optional) Validate or format the certificate using a third-party tool, such as:
Format X.509 certificateSave a copy of the existing certificate before making any changes.
Paste the new certificate into the SAML X.509 Certificate field.
Click Submit to save the changes.
Additional Information
Only users with the IT Administrator role can update SAML authentication settings.
Certificate updates must be completed on both sides:
The Identity Provider (IdP)
Workvivo Authentication Settings
Always test the login after updating the certificate.
We recommend testing in a private or incognito browser window to avoid cached session issues.
Still Having Issues?
If the certificate has been confirmed as correct and the error persists, please contact Workvivo Support for further assistance and investigation.