ADFS Sign-In / Sign-Out Fails with Microsoft Error ID4037

Knowledge Articles
, , , , ,
1

Overview

This article describes a potential cause and provides troubleshooting steps for login failures involving a SAML connection. Reviewing the tenant logs shows multiple occurrences of the following error description or OAuth error:

The request could not be performed due to an error on the part of the SAML responder or SAML authority

Here are the details of the error that gets thrown, as shown in the ADFS Event Viewer:

<samlp:Status> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status>

Relying Party:

urn:auth0:TENANT-NAME:CONNECTION-NAME

Exception details:

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

(

IsReadOnly = False,

Count = 1,

Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause

)

'. Ensure that the SecurityTokenResolver is populated with the required key.

Applies To

  • Microsoft Error ID4037
  • Active Directory Federation Services (AD FS)

Cause

This error typically occurs due to a misconfiguration between Auth0 and Active Directory Federation Services (ADFS). Specific causes include:

  • Signing Key Mismatch: The key required by ADFS to verify the signature from Auth0 cannot be resolved. This often relates to ADFS error ID4037 and may trigger exceptions similar to the following:
    • Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037 : The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
  • Signature Algorithm Mismatch: The signature algorithm configured in the Auth0 connection (e.g., rsa-sha256) does not match the algorithm configured and expected by the ADFS instance (e.g., rsa-sha1) as explained in Request could not be performed due to an error on the part of the SAML responder or SAML authority

Solution

Re-upload the SAML connection metadata from Auth0 to Active Directory Federation Services (ADFS).

  • Obtain the metadata URL from Auth0 using the following template, replacing the placeholders <DOMAIN_NAME> and with the correct tenant domain and connection name:

    https://<DOMAIN_NAME>/samlp/metadata?connection=<connectionName>

  • Consult the ADFS documentation for specific instructions on how to update or re-upload federation metadata using either the URL or a downloaded metadata file.

Related References