Error “WIF10201: No valid key mapping found” when trying to create claims from SAML

后端 未结 3 712
野的像风
野的像风 2021-01-25 05:50

I am trying to validate a SAML response which is coming from Siteminder IDP from a third party. I have installed the certificate provided by them. When I call the Valida

相关标签:
3条回答
  • 2021-01-25 06:15

    I wanted to make a note for future reference, since I also ran into this error but my resolution was different. I got the WIF10201 error in a custom MVC application that is using ADFS (3.0) claims-based authentication under Windows Server 2012. In the web.config of the MVC application, the thumbprint of the ADFS token signing key is recorded. It turns out, when the signing certificate is about to expire, ADFS creates a new key. The new key is marked "primary" and the old key is marked as "secondary" in the ADFS console (under AD FS/Service/Certificates). So in my web.config there was, of course, still the thumbprint of the old (secondary) key. As soon as I replaced it with the thumbprint of the new (primary) key, the error disappeared.

    0 讨论(0)
  • 2021-01-25 06:36

    You are probably missing a configuration that maps the issuer name (as specified inside the token) to the certificate (probably specified with a thumbprint). I guess you solve this with some configuration in your web.config. Have a look at p.e. Microsoft validating issuer name registry The page contains some sample configuration. Setting this up correctly depends entirely on your situation.

    0 讨论(0)
  • 2021-01-25 06:38

    Ok found the solution but could't quite understand the readon behind it (complete noob, will update the answer when I know more).

    Followed this approach of converting the SAML2 response to WSFed response, then on that new token I ran my code, now the error is gone.

    http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx

    Note : you still have to override the validate token method (which I had originally done) to avoid the following error :

    “ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.”
    

    Thanks.

    0 讨论(0)
提交回复
热议问题