Both of our Azure PAM systems started getting this error:
PAM-CMN-0982: SAML SSO Authentication Failure: Status Code: N/A. Status Message: Unable to validate Signature. SubStatus Code: N/A.
Around 2016 we ran into this issue when Azure changed the federation metadata certificate used for SSO and a patch was added that allowed PAM to check for a new certificate. We haven't seen this message in a long time, both PAMs have SAML IDP Metadata Refresh mode set to hourly.
Fixed it by grabbing the federation metadata cert and putting it into the Update Identity Provider Azure IDP cert box, but this shouldn't require any manual intervention to fix.
Wondering if this functionality got disabled in a recent update? Searching through the session logs for refresh, metadata and not finding anything. I think there used to be something in those showing when it did the check and update.
Privileged Access Manager 4.1.0-4.1.4
There was a problem on the PAM appliance that caused the CRON jobs meant to update IdP metadata either daily or hourly (see "SAML IdP Metadata Refresh Mode" setting on documentation page Configure PAM as the Relying Party (RP)) not to run.
The problem was fixed as DE573133 in the 4.1.5 maintenance release and in future PAM releases.