SAML Response Processing Failure - Mismatch in the IDP Public Key in idp.xml and the SAML Response

From DocWiki

Jump to: navigation, search

SAML Response Processing Failure - Mismatch in the IDP Public Key in idp.xml and the SAML Response

Problem Summary SAML Response Processing Failure - Mismatch in the IDP Public Key in idp.xml and the SAML Response
Error Message

2016-04-13 12:42:15.896 IST(+0530) default ERROR [IdSEndPoints-0] - Exception processing request com.sun.identity.saml2.common.SAML2Exception: The signing certificate does not match what's defined in the entity metadata.
at com.sun.identity.saml2.xmlsig.FMSigProvider.verify(
at com.sun.identity.saml2.protocol.impl.StatusResponseImpl.isSignatureValid(
at com.sun.identity.saml2.profile.SPACSUtils.getResponseFromPost(
at com.sun.identity.saml2.profile.SPACSUtils.getResponse(
at com.sun.identity.saml2.profile.SPACSUtils.processResponseForFedlet(
at$ Check the below logs for more information:
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] ERROR SAML Response processing failed with exception…

2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] DEBUG - Health event with id SAML_RESPONSE_FLOW_FAILURE has come from IdSSAMLAsyncServlet that can potentially change the state from STATE_IN_SERVICE
2016-06-17 22:46:16.971 IST(+0530) [IdSEndPoints-SAML] changing the state as current state STATE_IN_SERVICE is different from new state PARTIAL_SERVICE as a result of SAML_RESPONSE_FLOW_FAILURE

Possible Cause

Mismatch in the IDP public key in idp.xml and the SAML response

Recommended Action
Update ADFS to use SHA-1 for signing and encryption

Update ADFS is to sign both Assertion & Message.
Use ADFS powershell command: Get-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier>, to verify that the field SamlResponseSignature is set to MessageAndAssertion

Fix is to run the ADFS powershell command: Set-ADFSRelyingPartyTrust -TargetName <Relying Party Trust Identifier> -SamlResponseSignature "MessageAndAssertion"

Upload the correct federation metadata(idp.xml) again.
Enable form authentication in ADFS setting
Please refer below articles

Under ADFS claim rules, attributes mapping for "user_principal" and "uid" are defined as in configuration guide.

After the ADFS configuration changes, run SSO test from IdSAdmin UI from both the nodes to ensure SSO is working as expected.

Release Release 11.5(1)
Associated CDETS # None

Rating: 0.0/5 (0 votes cast)

Personal tools