Running Federation Services as Service Provider (SP) and when the Policy Server validates the signature, the processing fails and the Policy Server logs show error:
[06/23/2020][14:49:06.169][14:49:06][3200][6268][SignatureProcessor.java][verifyXML][][][][][][][][][][][][][][][][][][][][]
[Signature verification with primary certificate failed with message: Error in DSigVerifier: cert not found or sig not verified - Caught an Exception either finding certifi cate in DB or verifying using IXMLSignature implementor - Transform disallowed!]
When disabling the signature verification, then the transaction can be completed.
http://www.w3.org/TR/2001/REC-xml-c14n-20010315
"Signatures in SAML messages SHOULD NOT contain transforms other
than the enveloped signature transform (with the identifier
http://www.w3.org/2000/09/xmldsig#enveloped-signature) or the
exclusive canonicalization transforms (with the identifier
http://www.w3.org/2001/10/xml-exc-c14n# or
http://www.w3.org/2001/10/xml-exc-c14n#WithComments).
Verifiers of signatures MAY reject signatures that contain other
transform algorithms as invalid [...]"
[06/23/2020][12:49:05][2848][17528][][AssertionConsumer.java][processSAMLResponse][Credentials:
<UserCredentials>
<?xml version="1.0" encoding="UTF-8"?>
<samlp2:Response Version="2.0" ID="SAML-41h5dzs8-0205-4974-8a21-d801eae83d3e" IssueInstant="2020-06-23T12:49:05Z" Destination="https://sp.example.com/affwebservices/public/saml2assertionconsumer" xmlns:samlp2="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://idp.example.org</saml2:Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#<reference>">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315"/>
Have the Partner to use only "Transform Algorithm" as per SAML spec to solve the issue.