The error message you are encountering typically indicates a problem with the token signing key configuration in your Single Sign-On (SSO) setup. This could mean that the key ID in the SAML token does not match any of the public keys registered in Entra ID for your application. Here are a few steps you can take to troubleshoot this issue:
- Check the Token Signing Certificate: Ensure that the certificate used for signing the SAML token in Google Workspace is the same one that is registered in Entra ID for your SSO application. You might need to update the certificate in Entra ID if it has been rotated or changed in Google Workspace.
- Review the SSO Configuration: Verify that the SSO configuration settings in both Google Workspace and Entra ID match exactly. This includes the entity IDs, reply URLs, and other related settings.
- Examine the SAML Response: You can use tools like SAML Tracer to inspect the SAML response from Google Workspace and check if the signing key identifier matches the one expected by Entra ID.