SaaS CMS has officially launched! Learn more now.

ADFS 2.0 - Redirecting fine, but throwing an error on the webserver

Vote:
 

Im very new to ADFS, so go easy on me. The startup class based on the Epi Documentation seems to be working correctly. If I try to hit myurl.gov/episerver for this test site, it passes through the adfs server and sends me back to the home page. Unfortunately Im getting an error on the webserver. 

IDX10503: Signature validation failed. Keys tried: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
Exceptions caught:
'[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.
token: '[PII is hidden by default. Set the 'ShowPII' flag in IdentityModelEventSource.cs to true to reveal it.]'.

Has anyone come across this? 

Thanks!

#194119
Jun 13, 2018 21:20
Vote:
 

Hi Erik,

I faced this same error with OpenId Connect implementation. The problem obviously is that the default signature validator cannot validate the token signature.

First to see the "PII is hidden..." you need to add this in your code:

Microsoft.IdentityModel.Logging.IdentityModelEventSource.ShowPII = true;

That way you will see what key was used to try to validate the signature (there could be multiple but usually there is just one). But that will not mostly like help you much with the issue, you can just check that it is using the correct key to validate the signature.

You should check from the returned token header what algorithm is used to verify the signature (header alg value), it could be a public key or a certificate etc.

Have a look at this article (might help you): https://medium.com/the-new-control-plane/validating-an-adfs-jwt-token-1146bb529a2a

In my case the problem was that the public key returned from JWKS endpoint had zero as the first byte which made the key "invvalid" and I had to implement a custom signature validator which removed the first zero byte from the key and ta-daa signature validation started to work (this was with OpenAM product but same issue has been reported with SalesForce in the past but it is fixed by SalesForce).

#194488
Jun 22, 2018 10:31
Vote:
 

I know this is resurrecting and old issue, but I managed to get it to authenticate correctly by changing the hash algorithm to SHA-256 in the relying party config. Users and roles are populating the db accordingly.

Thank you for the previous response, but honestly I tried just about everything and I still couldnt get that to show the error. Changed the machine config vals and added showpII to my owin loggging but VS yelled at me as well. Thankfully I solved this one through stubborn trial and error. 

#195399
Edited, Jul 24, 2018 0:23
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.