06-14-2024 02:08 PM
So we are working on configuring our connection to a new Entra ADFS, but when I got to login, I am getting the following error message:
--------------------------------------------------------------------------------------------------------------------------------------------------------------
Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
at Sustainsys.Saml2.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate)
at Sustainsys.Saml2.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm)
at Sustainsys.Saml2.Saml2P.Saml2Response.<>c__DisplayClass60_0.<ValidateSignature>b__0(XmlElement a)
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at Sustainsys.Saml2.Saml2P.Saml2Response.ValidateSignature(IOptions options, IdentityProvider idp)
at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)
at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState)
at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 52
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)
--------------------------------------------------------------------------------------------------------------------------------------------------------------
I have configured everything the right way, but it isn't working. So I am not sure what might be causing this. We are running Hyland Identity Provider/Service 4.0.0.
Thanks!
06-17-2024 05:27 AM
Hello
This error usually implies that the Hyland IdP is referencing out-of-date metadata from the provider (Entra). To resolve this, please try replacing the Entra metadata that the Hyland IdS is referencing via the Hyland IdP Admin page.
One item to note for Entra, is that you'll want to ensure you're referencing the "App Federation Metadata URL" which is specific to the Enterprise Application in Entra that you are connecting to.
For more info, please see the following KB article:
06-17-2024 08:45 AM
Thank you
However, I am still getting the error for some reason. Here is from the .xml file.
So at this point in time, I am not 100% sure. Hopefully you have a trick up your sleeve or whatever for me. 🙂
Thanks!
06-17-2024 09:14 AM
I just realized this is being configured with AD FS as the SAML provider which varies slightly from using Entra as the SAML provider. The metadata seems to checkout based on your screenshot.
AD FS relies on a Signing Certificate to sign the token generated by the AD FS Server. For the Hyland Identity Service (IdS) to successfully read the token, it will need the public key of the AD FS Signing Certificate installed in the Trusted People Certificate Store.
You can copy the data inside of the "X509Certificate" node and paste that into a text editor. Saving the file with a .CER extension will create the certificate with the public key. It can then be installed on server where the Hyland IdS is running. After installing the certificate, try recycling the application pool and testing again.
If you're still running into issues I recommend submitting a case with your first line of support so we can review further.
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.