ADFS sign-in / sign-out fails with Microsoft error ID4037

Problem statement

We have a SAMLP connection in our tenant, which appears to be failing.

The tenant logs show multiple instances of this error

  • The description is: “The request could not be performed due to an error on the part of the SAML responder or SAML authority”
  • The oauth error is: “The request could not be performed due to an error on the part of the SAML responder or SAML authority”

Here are the details of the error, as shown in the ADFS Event Viewer:

The error appears as follows:

<samlp:Status> <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Responder" /> </samlp:Status>

Relying Party:

urn:auth0:prod-odcem:1663934158353

Exception details:

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

(

IsReadOnly = False,

Count = 1,

Clause[0] = Microsoft.IdentityServer.Tokens.MSISSecurityKeyIdentifierClause

)

'. Ensure that the SecurityTokenResolver is populated with the required key.

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()

at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)

at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)

at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)

Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)

at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Troubleshooting

Google search for the below error shows this is related to ADFS sign-in or sign-out.

Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: **ID4037:** The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier

Here are some sample articles:

Solution

One possible fix may be reuploading the SAML Connection Metadata to the ADFS.

You can read more about configuring ADFS as SAML Identity Provider here - Configure ADFS as SAML Identity Provider.

The URL used to fetch the connection metadata is:

https://<YOUR-DOMAIN>/samlp/metadata?connection={connectionName}