In SAS Viya 3.5, OpenID Connect (OIDC) authentication with external identity providers might fail when the ID token is signed using an algorithm that is not RS256, like RS512 for instance. The failure occurs during token signature verification.
In this scenario, users are redirected to authentication, but sign-in fails during token validation. SAS Logon logs show InvalidTokenException / InvalidSignatureException during ID token signature verification.
Observed error messages include the following:
Could not verify token signature
RSA Signature did not match content
Within the SAS Viya 3.5 implementation, RSA token verification defaults to the SHA256withRSA (RS256) algorithm. When a token signed with another algorithm is received, the system attempts verification using the incorrect algorithm, resulting in signature validation failure.
A code enhancement has been implemented in SAS Logon to ensure that signature verification is algorithm-aware for tokens issued by external identity providers.
To get this enhancement, you need to apply the latest SAS Viya 3.5 hot fixes in order to have the sas-saslogon-2.59.0-20260304.1772602821140 or later package: Hot Fixes for SAS Viya 3.5 for Linux.