SAML request signing not working. AADSTS76027: No certificate matching provided KeyInfo. Check that app is configured correctly.

Venkat 0 Reputation points
2023-09-25T10:00:23.6933333+00:00

When trying to authenticate with Azure AAD SAML with signed authenticated requests from SP to IDP(Azure), getting the following error:

AADSTS76027: No certificate matching provided KeyInfo. Check that app is configured correctly.

request format for example:

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
                    Version="2.0"
                    ID="_a9a04338-fc62-494c-9a89-01cee975e716"
                    IssueInstant="2023-09-25T09:55:49.000Z"
                    >
    <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://samltoolkit.azurewebsites.net/kong_saml</saml:Issuer>
    <dsig:Signature xmlns:dsig="http://www.w3.org/2000/09/xmldsig#">
        <dsig:SignedInfo>
            <dsig:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <dsig:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <dsig:Reference URI="#_a9a04338-fc62-494c-9a89-01cee975e716">
                <dsig:Transforms>
                    <dsig:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                    <dsig:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
                </dsig:Transforms>
                <dsig:DigestMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
                <dsig:DigestValue>H297lnnd6XbVnTIkr2VgBGza6QuZ2vcC/3xoSdSD80U=</dsig:DigestValue>
            </dsig:Reference>
        </dsig:SignedInfo>
        <dsig:SignatureValue>rvmINu0N0YUSBwNzB10ofSfPs+uE1890ha3xwakSpM8Q+ms9pN3Havqc6hhplqBUOcufaWEq6EDr0+EEV8hSF1Rb5dsT4tGGrhuHAvqdVIFjX1WdJlNym9uvLk4FhDFgEN3nqaws8OqDVoXbP6MUwFpjQZDgEAQ4BSTgbbe6zP0+v7m8jkR9HluUEdaM1L/4ywMrcK4I9tHa3rVxOmkH0ZKXqaoc5KF7rAy14RS4YAHO5zlAE54h6wbjNPo7aEWH0GPEp5dGvuf0fkwrwBC1RvGDlYs9zzuQPnNs3qXsmWneQJtdkSFev4y9/dCWpfZH5Uhna+VbDWenwFzFc4yX5g==</dsig:SignatureValue>
        <dsig:KeyInfo>
            <dsig:X509Data>
                <dsig:X509Certificate>TUlJRE9UQ0NBaUVDRkJEYkZYTEdFMXZMenAvMjNuWmpqWnI1YUt1V01BMEdDU3FHU0liM0RRRUJDd1VBTUZreCBDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXdId1lEVlFRS0RCaEpiblJsIGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkREFlRncweU16QTUgTWpVd09ERXpNamRhRncweU5EQTVNalF3T0RFek1qZGFNRmt4Q3pBSkJnTlZCQVlUQWtGVk1STXdFUVlEVlFRSSBEQXBUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWGFXUm5hWFJ6SUZCMGVTQk1kR1F4IEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQ0NBU0l3RFFZSktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0MgZ2dFQkFMMGNoTWFIbmZNdnovOGhXZnlHYWVZQXEyZkMrNWtCZGhZbkJxQzB2aFlHTktYTVA1SWhUSHdaV3k1aiBZcHlOSU9HVWlPNVovWXcyS0NFTmdUZW1McW1td1RodEcrTFBBc2thMHVDbWZJWU5rcGZQYTRIeDFYMFl1aThmIHlYSDVzU01pN1lkTVppUys5WVBWbFcvUm43d2NacFNnNkJRQnA0T2dOWnRGV24rbnhweW1PeU1JZXROR2hyMGsgVHNSSGpjQzI0N293bGtaTE5KSzNXc1dNYk4xeEE2VzFzb2wzbXZKNVhvMVZQcVhBUTlBMFozT282S0NWUFI0biBJWW4zWC92STBNbm55elNLZHRIcVB4QlJQNWN4aVMwUzdidGNMZ0VuVmhQbW5FVTRDYy9xYk9qRDgxMENMbElZIFJmMW9OZFhWSzlJTWNhL2d3azl2ZGZEK3Fxa0NBd0VBQVRBTkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQUhhcXMgbUVDb3d2VGFQeEllRTFmSTdBWUdFQjNQcnhac2NRdkV2RnZXb1N5d0NJWW9SRXQvRHdmZkdZem9uY3RDRXE3NSBQdi80dlJiYlVnMWNnM2hUT1Y2c3VyRFVjNGtKeElYYk5oRllycG1PMm80dUVtZkYvM1hFYXFRZzhHSDBLNmlLIGlLMUVtbTQyK1MzVFZUUVQ5OGtaMFhockUwSVZ2ZXREd1JZVDRUL0c0bURhZmV2TzNpcTltME5oQXNvT2x2OWUgOU5wWDJoNkhwUDBNNzhsNithdE0wQWJjRk1Tb2s4QTRMUVMrcHNGc2ZteWR3c2tvWncvV3J0R3BOYlpSUk5HSSBMMzNKc0JIOUx4ZEVSNDQxa2lVTmNLeEFwRi81YUxDV2VXemV0M1F6N2pFeFpLM3owbVY1UGs5V3lVdzVRcWVtIHZmS1JyTXM3K1B6RHlucmR4UT09</dsig:X509Certificate>
            </dsig:X509Data>
        </dsig:KeyInfo>
    </dsig:Signature>
    <samlp:NameIDPolicy AllowCreate="false"
                        Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                        />
</samlp:AuthnRequest>
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,842 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Luke 50 Reputation points
    2023-09-28T09:17:49.01+00:00

    Ensure that the certificate you're using for signing the SAML request is correctly configured. The error suggests that the KeyInfo in the SAML request does not match any valid certificate on Azure AD's side. Double-check the certificate thumbprint or details in your Azure AD app configuration to make sure they match the certificate used for signing.

    In your Azure AD app registration for the SP, make sure you have configured the correct certificate for SAML signing. Go to the Azure portal, navigate to your app registration, and check the "Certificates & secrets" section to ensure the certificate is uploaded and correctly associated with the app.

    Ensure that the "Issuer" in your SAML request (saml:Issuer) matches the configured Issuer URI in your Azure AD app registration. They should be identical.

    1 person found this answer helpful.

  2. Michael Smith-MSFT 2,916 Reputation points Microsoft Employee
    2023-09-25T12:31:48.72+00:00

    Hi Venkat,

    Thank you for contacting the community for help with your issue.

    From the URL above ( https://samltoolkit.azurewebsites.net/kong_saml) it appears you are testing out the SAML tool kit.

    Can you please download the RAW Certificate from the SAML toolkit app in the Azure enterprise applications.

    User's image

    And Copy the 3 URLs from step 4
    User's image

    Go to the SAML tookkit config page and create a new configuration:

    https://samltoolkit.azurewebsites.net/SAMLSSOconfig

    User's image

    Add the 3 URLs and choose the certificate you downloaded then click create

    User's image

    Copy the login URL and ACS URLs and paste them in to the Azure App configuration.

    User's image

    User's image

    test your login URL and check if its ok now.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.


  3. Michael Smith-MSFT 2,916 Reputation points Microsoft Employee
    2023-10-09T08:07:00.3933333+00:00

    You can set up a free developer instance of salesforce and integrate it with azure ad.

    I have tested this myself and have a working  lab with salesforce using signature verification.

     

    Create salesforce instance.

    Salesforce Developers

     

     

    Integrate to Azure AD. Follow all steps in this tutorial

    Tutorial: Microsoft Entra single sign-on (SSO) integration with Salesforce - Microsoft Entra | Microsoft Learn

     

    Once you have this set up you can use the Self signed Cert from salesforce to export the public key and upload to AAD for verification.

     ![A screenshot of a computer

    Description automatically generated](/api/attachments/46bf8b1a-055f-4cf9-9384-0398f4b2159e?platform=QnA)

     

     ![A screenshot of a computer

    Description automatically generated](/api/attachments/3cb4c31e-593c-4079-9c53-57be434585f3?platform=QnA)

    |Open the CRT

     
    Copy to file
     
    Save as CER
     
     
     
    This should
    help you compare your request and certs.
     
    The
    documentation you can refer to for the standards we use is below.
     
    ietf.org/rfc/rfc4051.txt
     
     
     | | -------- | ||

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.