You can't check revocation on a self sign certificate. So you would have to disable the SigningCertificateRevocationCheck on the SP.
Unable to authentcate with SAML server while using the self signed certificates
There is an java web application running on the liberty profile configured with a SAML server for authentication.
On the liberty side , we are using the self signed certificates (root CA and leaf Certificates).
When I try to authenticate the application , it redirects me with the SAML login page and after logic I can see that the response is 403.
HTTP Error 403 - Forbidden
Please contact the administrator for further information
When I check on the SAML server , I see following errors in the log file.
Encountered error during federation passive request.
Additional Data
Protocol Name:
Saml
Relying Party:
https://<hostname>/ibm/saml20/defaultSP
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3015: The signing certificate of the claims provider trust 'https://<hostname>/ibm/saml20/defaultSP' identified by thumbprint '9028CE937C8E3B543015296F87285DC7BF153AC2' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityServer.Service.Tokens.MSISX509SecurityToken.MatchesKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
at System.IdentityModel.Tokens.SecurityToken.ResolveKeyIdentifierClause(SecurityKeyIdentifierClause keyIdentifierClause)
at System.IdentityModel.Selectors.SecurityTokenResolver.SimpleTokenResolver.TryResolveSecurityKeyCore(SecurityKeyIdentifierClause keyIdentifierClause, SecurityKey& key)
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.ResolveSigningCredentials()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.OnEndOfRootElement()
at Microsoft.IdentityModel.Protocols.XmlSignature.EnvelopedSignatureReader.Read()
at System.Xml.XmlReader.ReadEndElement()
at Microsoft.IdentityServer.Protocols.Saml.SamlProtocolSerializer.ReadAuthnRequest(XmlReader reader)
at Microsoft.IdentityServer.Protocols.Saml.HttpSamlBindingSerializer.ReadProtocolMessage(String encodedSamlMessage)
at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
The Self signed certificates used above are valid and not expired.
The root ca certificate is also added in the SAML ADFSTrustedDevices and also added to windows root certificate trust store.
However it's not working.
Can you please suggest what's the issue while using the self signed certificates.
Note: When we bypass the checks for certificate as follows , it works.
Set-AdfsRelyingPartyTrust -TargetName "Rahul-1" -SigningCertificateRevocationCheck None
Set-AdfsRelyingPartyTrust -TargetName "Rahul-1" -EncryptionCertificateRevocationCheck None
However we do not workaround this and would like to solve it.
Any pointers regarding this issue will be appreciated.
1 answer
Sort by: Most helpful
-
Pierre Audonnet - MSFT 10,181 Reputation points Microsoft Employee
2021-07-09T17:22:30.283+00:00