Hello everyone! I'm trying to configure SSO to Google Apps, using SAML protocol and Keycloak as IDP and Google as SP. Keycloak Version - 2.1.0-Final In Keycloak, I've created a new saml client with following settings: ---------------------------------------------------------------- Client ID - google.com/a/*mydomain*.com Enabled - On Consent Required - Off Include AuthnStatement - On Sign Documents - On Sign Assertions - On Signature Algorithm - RSA_SHA256 Canonicalization Method - EXCLUSIVE Encrypt Assertions - Off Client Signature Required - On Force POST Binding - On Front Channel Logout - On Force Name ID Format - Off Name ID Format - email Root URL - empty Valid Redirect URIs - empty Base URL - /auth/realms/*keycloak realm*/protocol/saml/clients/googleapps Master SAML Processing URL - empty IDP Initiated SSO URL Name - googleapps IDP Initiated SSO Relay State - empty Assertion Consumer Service POST Binding URL - empty Assertion Consumer Service Redirect Binding URL - https://google.com/a/*mydomain*.com/acs logout-service-post-binding-url - empty Logout Service Redirect Binding URL - empty -------------------------------------------------------------- Google SSO Settings: -------------------------------------------------------------- "Setup SSO with third party identity provider" checkbox - enabled Sign-in page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm name*/protocol/saml Sign-out page URL - https://*keycloak fqdn*/auth/realms/*keycloak realm name*/protocol/saml Change password URL - empty Verification certificate - uploaded certificate from keycloak realm, where Google SAML client is defined. "Use a domain specific issuer" checkbox - enabled --------------------------------------------------------------- The problem: When I go to this link - https://mail.google.com/a/*mydomain*.com, to authenticate, I'm redirected back to Keycloak with "Invalid Requester" error and in Keycloak log I see this: "error=invalid_signature" What signature is Keycloak complaining about? What is wrong with my config?