Inner exception: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier

Question

Hi,
I'm trying to post a SAML assertion to ADFS 2.0 [Idp Inititated Signon], I'm creating a SAML Message using ComponentSpace and posting it to ADFS 2.0 server thru a webpage. I have manually configured ADFS2.0 to accept tokens from this web application [basically created Claim provider trust]

But when the browser is posted to default ADFS URL [/adfs/ls/]. I receive error message, by looking into the trace log, i get the below details error. FYI. I have verified the saml post message, the message contain the Certificate ky <keyinfo> tags.

Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolException: MSIS1022: Cannot process SAML Response from ''.
Inner exception: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
(
IsReadOnly = False,
Count = 1,
Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
)
'. Ensure that the SecurityTokenResolver is populated with the required key.
at Microsoft.IdentityServer.Service.Tokens.SamlMessageSecurityTokenHandler.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.ReadSecurityToken(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSecurityToken()
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.CreateSubject(XmlElement securityTokenXml, SecurityTokenHandlerCollection securityTokenHandlers)
at Microsoft.IdentityModel.Tokens.SecurityTokenElement.GetSubject()
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.GetEffectivePrincipal(SecurityTokenElement securityTokenElement)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.Issue(IssueRequest issueRequest)
at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Answer 1

Hi maccarvind,

It appears that your CP Trust Certificates tab has not been populated with the token-signing certificate of the claims provider. Can you check?

 

Thank you,

Adam Conkle - MSFT

Answer 2

First let me start by saying I hope I'm putting this in the right spot and if not I appologize for bumping a dead post.   I am getting the same ID4037 error message in my event logs.  This message is alway proceeded by the following error message:

Connot find certificate to validate message/token signature obtained from claims provider.
Claims provider: urn:federation:*******

This request failed

User Action
Check that Cliams Provider Trust configuration is up to date.

I've searched this message in TechNet and found entries where the resoution just states "Make sure the CP trust is update".  I've looked at everything I could look at, to my knowledge anyway.  I have the token signing cert in the certificates tab in hte CP trust configuration.  I've also ensured that the hash algorithm is set to SHA-1 which is what the certificate strength is. 

I've been in constant contact with the CP organization and they've told me I have the correct certificate to decrypt the tokens that are being sent.  Is this issue as simple as a certificate mismatch or is there something more going on?

Answer 3

Hello,

I also have the same error [MSIS1022, inner exception: ID4037] upon receipt of the SAML token issued by my IDP. I suspected  a configuration problem, so I checked the CPT parameters and certificates; but I can not find what is erroneous! Have you solved your problem and how?

JRF