Overview:
A user, assigned to an SSO Security Policy, is receiving an error: Can't validate Identity Provider signature.
Root Cause:
This error is caused by the SAML Response from the Identity Provider (IdP) not being properly signed, or the Identity Provider (IdP) Certificate not being valid.
Solution:
Vault requires that the entire SAML Response from the customer IdP be signed. Review the XML in the SAML Response with the IdP support team to ensure that the entire response is signed and not only a part of it, for example, only the assertion.
Also, check the IdP Certificate to be sure it is still valid. Check If the Certificate is expiring or is being changed only in the IdP or Vault, and not both of these environments.
Example: It can cause the SAML Response signature to not be valid.