ADFS Sign-In / Sign-Out Fails with Microsoft Error ID4037

Knowledge Articles
, , , , ,
1

Last Updated: Aug 2, 2024

Overview

A SAMLP connection is configured in the tenant. The login flow fails and and the tenant logs show multiple instances of these related errors:

  • The description is: “The request could not be performed due to an error on the part of the SAML responder or SAML authority
  • The OAuth error is: “The request could not be performed due to an error on the part of the SAML responder or SAML authority

Here are the details of the error that gets thrown, as shown in the ADFS Event Viewer:

<samlp:Status> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status>

Relying Party:

urn:auth0:TENANT-NAME:CONNECTION-NAME

Exception details:

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

(

IsReadOnly = False,

Count = 1,

Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause

)

'. Ensure that the SecurityTokenResolver is populated with the required key.

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)

at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)

at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)

 Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Applies To

  • Microsoft Error ID4037
  • Active Directory Federation Services (AD FS)

Cause

Typically, this error occurs due to misconfiguration.

To troubleshoot the issue, take a closer look at the error message that gets thrown:

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

Solution

Re-upload the SAML Connection Metadata to the ADFS.

The URL used to fetch the connection metadata is:

Related References