This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Getting key not trusted when configuring connection to Entra ADFS

Ryan_Wakefield
World-Class Innovator
World-Class Innovator

‎06-14-2024 02:08 PM

So we are working on configuring our connection to a new Entra ADFS, but when I got to login, I am getting the following error message:

 

--------------------------------------------------------------------------------------------------------------------------------------------------------------

Sustainsys.Saml2.Exceptions.InvalidSignatureException: The signature verified correctly with the key contained in the signature, but that key is not trusted.
at Sustainsys.Saml2.XmlHelpers.VerifySignature(IEnumerable`1 signingKeys, SignedXml signedXml, XmlElement signatureElement, Boolean validateCertificate)
at Sustainsys.Saml2.XmlHelpers.IsSignedByAny(XmlElement xmlElement, IEnumerable`1 signingKeys, Boolean validateCertificate, String minimumSigningAlgorithm)
at Sustainsys.Saml2.Saml2P.Saml2Response.<>c__DisplayClass60_0.<ValidateSignature>b__0(XmlElement a)
at System.Linq.Enumerable.Any[TSource](IEnumerable`1 source, Func`2 predicate)
at Sustainsys.Saml2.Saml2P.Saml2Response.ValidateSignature(IOptions options, IdentityProvider idp)
at Sustainsys.Saml2.Saml2P.Saml2Response.CreateClaims(IOptions options, IdentityProvider idp)+MoveNext()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at Sustainsys.Saml2.Saml2P.Saml2Response.GetClaims(IOptions options, IDictionary`2 relayData)
at Sustainsys.Saml2.WebSso.AcsCommand.ProcessResponse(IOptions options, Saml2Response samlResponse, StoredRequestState storedRequestState, IdentityProvider identityProvider, String relayState)
at Sustainsys.Saml2.WebSso.AcsCommand.Run(HttpRequestData request, IOptions options)
at Sustainsys.Saml2.AspNetCore2.Saml2Handler.HandleRequestAsync()
at Duende.IdentityServer.Hosting.FederatedSignOut.AuthenticationRequestHandlerWrapper.HandleRequestAsync() in /_/src/IdentityServer/Hosting/FederatedSignOut/AuthenticationRequestHandlerWrapper.cs:line 52
at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
at Duende.IdentityServer.Hosting.DynamicProviders.DynamicSchemeAuthenticationMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/DynamicProviders/DynamicSchemes/DynamicSchemeAuthenticationMiddleware.cs:line 47
at Duende.IdentityServer.Hosting.BaseUrlMiddleware.Invoke(HttpContext context) in /_/src/IdentityServer/Hosting/BaseUrlMiddleware.cs:line 27
at Microsoft.AspNetCore.Localization.RequestLocalizationMiddleware.Invoke(HttpContext context)
at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware.<Invoke>g__Awaited|6_0(ExceptionHandlerMiddleware middleware, HttpContext context, Task task)

--------------------------------------------------------------------------------------------------------------------------------------------------------------

 

I have configured everything the right way, but it isn't working. So I am not sure what might be causing this. We are running Hyland Identity Provider/Service 4.0.0.

 

Thanks!

0 Kudos
3 REPLIES 3

Jimmy_Byrne
Star Contributor
Star Contributor

‎06-17-2024 05:27 AM

Hello @Ryan Wakefield,

 

This error usually implies that the Hyland IdP is referencing out-of-date metadata from the provider (Entra). To resolve this, please try replacing the Entra metadata that the Hyland IdS is referencing via the Hyland IdP Admin page.

 

One item to note for Entra, is that you'll want to ensure you're referencing the "App Federation Metadata URL" which is specific to the Enterprise Application in Entra that you are connecting to. 

 

4b835374756341c5a9836b940371fa35

 

For more info, please see the following KB article: 

 

Hyland IDP: Users encounters an error when attempting to authenticate via a SAML provider, "Sorry, t...

Ryan_Wakefield
World-Class Innovator
World-Class Innovator
In response to Jimmy_Byrne

‎06-17-2024 08:45 AM

Thank you @Jimmy Byrne . That does help. However, I can confirm that we pointed to the "App Federation Metadata URL" and I use that URL in the "External IdP Metadata Location" field. It does connect, it pulls in the Entity ID, and everything shows good.

 

b25d7c13cf8b4a57ba6d68926581c0c6

 

However, I am still getting the error for some reason. Here is from the .xml file.

 

17794a0d89584e66bb0e40b24f6cce48

 

So at this point in time, I am not 100% sure. Hopefully you have a trick up your sleeve or whatever for me. 🙂

 

Thanks!

0 Kudos

Jimmy_Byrne
Star Contributor
Star Contributor
In response to Ryan_Wakefield

‎06-17-2024 09:14 AM

@Ryan Wakefield 

 

I just realized this is being configured with AD FS as the SAML provider which varies slightly from using Entra as the SAML provider. The metadata seems to checkout based on your screenshot.

 

AD FS relies on a Signing Certificate to sign the token generated by the AD FS Server. For the Hyland Identity Service (IdS) to successfully read the token, it will need the public key of the AD FS Signing Certificate installed in the Trusted People Certificate Store.

 

You can copy the data inside of the "X509Certificate" node and paste that into a text editor. Saving the file with a .CER extension will create the certificate with the public key. It can then be installed on server where the Hyland IdS is running. After installing the certificate, try recycling the application pool and testing again.

 

If you're still running into issues I recommend submitting a case with your first line of support so we can review further. 

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC