Why the STS is always returning my SAML assertion as invalid ?

By default, the PicketLink STS is configured to sign and validate signatures for your SAML Assertions. This is done by using the KeyProvider element inside your picketlink-sts.xml file.

One of the main objectives of signing a XML document is to  provide a way of detecting if the data has been changed. That said, you must check if you sent the SAML assertion as it was previously issued by the PicketLink STS. With no additional characters or formatting.