This project has moved and is read-only. For the latest updates, please go here.

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

Oct 15, 2014 at 9:49 PM
Hi,
I am trying to read SAML2P tokens from Ping Identity server [Not ADFS] and convert them into claims.
        public override SecurityToken ReadToken(XmlReader reader)        
        {
            return base.ReadToken(reader) as Saml2SecurityToken;
        }
The assertion is signed, but does not have the public key in it. I suspect I therefor get the ID4037 error. However, next code does not help me further. I see two potential solutions:
  1. Provide the required data for which the Exception is thrown;
  2. Disable the validation of the signature and just convert the attributes into tokens.
Any idea how to do this? And is this indeed the solution to the Exception?
J.
    public class Saml2ResponseSecurityTokenHandler : Saml2SecurityTokenHandler
    {
        public static Saml2ResponseSecurityTokenHandler GetSaml2SecurityTokenHandler()
        {
            
            var handler = new Saml2ResponseSecurityTokenHandler();
            var identityConfiguration = FederatedAuthentication.FederationConfiguration.IdentityConfiguration;

            var audienceRestriction = new AudienceRestriction(AudienceUriMode.Always);
            audienceRestriction.AllowedAudienceUris.Add(
                new Uri("http://rp.dev"));

            var thumbPrint = "dffff";
            var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
            store.Open(OpenFlags.ReadOnly);                
            var certificates = store.Certificates.Find(X509FindType.FindByThumbprint, thumbPrint, true);
            X509Certificate2 identityProviderCertificate = certificates[0];    

            var securityTokenResolver =  SecurityTokenResolver.CreateDefaultSecurityTokenResolver(
                new ReadOnlyCollection<SecurityToken>(
                    new SecurityToken[] { new X509SecurityToken(identityProviderCertificate) }), false);
            
            handler.Configuration = new SecurityTokenHandlerConfiguration
            {
                SaveBootstrapContext = identityConfiguration.SaveBootstrapContext,
                AudienceRestriction = audienceRestriction,//identityConfiguration.AudienceRestriction,
                IssuerNameRegistry = new Saml2ResponseIssuerNameRegistry(),
                CertificateValidationMode = identityConfiguration.CertificateValidationMode,
                RevocationMode = identityConfiguration.RevocationMode,
                ServiceTokenResolver = securityTokenResolver, 
            };
Oct 27, 2014 at 7:05 PM
Resolved by adding a custom issuertokenresolver which adds the x509 certificate
Mar 10, 2015 at 9:27 PM
When you say "adding a custom issuertokenresolver", do you mean something different than using SecurityTokenResolver.CreateDefaultSecurityTokenResolver and assigning it in the handler config like your code example above?
Mar 12, 2015 at 3:29 AM
Does the saml have a KeyInfo?
If so, you can do

handler.Configuration.IssuerTokenResolver = new SecurityTokenResolver(....) // your special one that will return the correct token.