Auth errors: Invalid Signature on SAML Response in Prod (but works fine in our UAT env)

[bazfer]

Hello all, we are coming across a strange situation in our Prod env:

1. Configuring both the SDP and the IDP on production successfully authenticates on the IDP side, but when landing back on SDP URL it fails with the error 'Auth errors: Invalid Signature on SAML Response'. The response, however, has the same shape as a success response, and even has a 'success' status in the XML.
2. We then created another connection on the IDP side and used a different environment on the SDP side, which shares the exact same code as Prod, and in this case the authentication and landing back in the SDP URL worked just fine.
3. We then 'crossed the streams' and updated the Prod SAML config to authenticate against the new IDP connection that worked for the SDP UAT environment, but again got the 'Auth errors: Invalid Signature on SAML Response'.

We have tripled, quadrupled checked that all the config is correct -- no extra spaces anywhere, which seems to be a root issue that manifests in the error message we are seeing. Indeed it looks like something is wrong with our Prod env, but we are having a hard time even thinking of what this could be.

Any pointers or guidance would be greatly appreciated.

[adamstegman]

This seems pretty weird to me. Signature validation ought to be straightforward if the certificate is configured, so settings that work in one environment should also work in another as long as nothing else is different.