Error “WIF10201: No valid key mapping found” when trying to create claims from SAML

六眼飞鱼酱① 提交于 2019-12-02 07:08:55

问题


I am trying to validate a SAML response which is coming from Siteminder IDP from a third party. I have installed the certificate provided by them. When I call the ValidateToken method (System.IdentityModel.Tokens) to create claims, I get following error :

WIF10201: No valid key mapping found for securityToken:'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'issuer uri'

I dug in deep to find the error and its being thrown by method GetIssuerName (System.IdentityModel.Tokens).

Where is the problem? I googled for this issue but didn't find anything specific to my case. Does the SAML token from my client have a problem or there is something I am missing in implementation. I am fairly new to federated auth so please excuse any inaccuracy with the terminology used.

Gaurav


回答1:


Ok found the solution but could't quite understand the readon behind it (complete noob, will update the answer when I know more).

Followed this approach of converting the SAML2 response to WSFed response, then on that new token I ran my code, now the error is gone.

http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx

Note : you still have to override the validate token method (which I had originally done) to avoid the following error :

“ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.”

Thanks.




回答2:


You are probably missing a configuration that maps the issuer name (as specified inside the token) to the certificate (probably specified with a thumbprint). I guess you solve this with some configuration in your web.config. Have a look at p.e. Microsoft validating issuer name registry The page contains some sample configuration. Setting this up correctly depends entirely on your situation.




回答3:


I wanted to make a note for future reference, since I also ran into this error but my resolution was different. I got the WIF10201 error in a custom MVC application that is using ADFS (3.0) claims-based authentication under Windows Server 2012. In the web.config of the MVC application, the thumbprint of the ADFS token signing key is recorded. It turns out, when the signing certificate is about to expire, ADFS creates a new key. The new key is marked "primary" and the old key is marked as "secondary" in the ADFS console (under AD FS/Service/Certificates). So in my web.config there was, of course, still the thumbprint of the old (secondary) key. As soon as I replaced it with the thumbprint of the new (primary) key, the error disappeared.



来源:https://stackoverflow.com/questions/25014101/error-wif10201-no-valid-key-mapping-found-when-trying-to-create-claims-from-s

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!