Symptoms

  • During a federation passive sign-in request using SAML 2.0 protocol, the request fails and the user lands on the AD FS 2.0 error page
  • The Verbose AD FS 2.0/Admin log shows Error event 303:

Log Name:      AD FS 2.0/Admin
Source:        AD FS 2.0
Date:          9/17/2010 10:54:19 AM
Event ID:      303
Task Category: None
Level:         Error
Keywords:      AD FS
User:          NETWORK SERVICE
Computer:      ADFS.ADATUM.COM

Description:
The Federation Service encountered an error while processing the SAML authentication request.

Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
   at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
   at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadSamlMessage(XmlReader reader, NamespaceContext context)
   at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
   at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.CreateErrorMessage(CreateErrorMessageRequest createErrorMessageRequest)
   at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

Cause

  • The Relying Party (RP) is sending a SAMLRequest which is digitally signed, and the RP Trust in AD FS 2.0 is not configured with a signing certificate on the Signature tab of the trust.

Resolution

  • Obtain the public key of the signing certificate either by parsing the SAMLRequest or by asking the RP to send it to you.
  • Import the certificate to the Signature tab of the RP Trust

Note: This introduces certificate chaining and revocation checking. To disable the revocation check specifically for a signing certificate, use the following PSH cmdlet:

  •   Set-ADFSRelyingPartyTrust –TargetName “Name property of your RP Trust” –SigningCertificateRevocationCheck “None”