Error "WIF10201: No valid key mapping found" when trying to create claims from SAML

9.2k views Asked by At

I am trying to validate a SAML response which is coming from Siteminder IDP from a third party. I have installed the certificate provided by them. When I call the ValidateToken method (System.IdentityModel.Tokens) to create claims, I get following error :

WIF10201: No valid key mapping found for securityToken:'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'issuer uri'

I dug in deep to find the error and its being thrown by method GetIssuerName (System.IdentityModel.Tokens).

Where is the problem? I googled for this issue but didn't find anything specific to my case. Does the SAML token from my client have a problem or there is something I am missing in implementation. I am fairly new to federated auth so please excuse any inaccuracy with the terminology used.

Gaurav

3

There are 3 answers

1
Gaurav On BEST ANSWER

Ok found the solution but could't quite understand the readon behind it (complete noob, will update the answer when I know more).

Followed this approach of converting the SAML2 response to WSFed response, then on that new token I ran my code, now the error is gone.

http://blogs.msdn.com/b/bradleycotier/archive/2012/10/28/saml-2-0-tokens-and-wif-bridging-the-divide.aspx

Note : you still have to override the validate token method (which I had originally done) to avoid the following error :

“ID4154: A Saml2SecurityToken cannot be created from the Saml2Assertion because it contains a SubjectConfirmationData which specifies an InResponseTo value. Enforcement of this value is not supported by default. To customize SubjectConfirmationData processing, extend Saml2SecurityTokenHandler and override ValidateConfirmationData.”

Thanks.

0
lzydrmr On

I wanted to make a note for future reference, since I also ran into this error but my resolution was different. I got the WIF10201 error in a custom MVC application that is using ADFS (3.0) claims-based authentication under Windows Server 2012. In the web.config of the MVC application, the thumbprint of the ADFS token signing key is recorded. It turns out, when the signing certificate is about to expire, ADFS creates a new key. The new key is marked "primary" and the old key is marked as "secondary" in the ADFS console (under AD FS/Service/Certificates). So in my web.config there was, of course, still the thumbprint of the old (secondary) key. As soon as I replaced it with the thumbprint of the new (primary) key, the error disappeared.

1
Willy Van den Driessche On

You are probably missing a configuration that maps the issuer name (as specified inside the token) to the certificate (probably specified with a thumbprint). I guess you solve this with some configuration in your web.config. Have a look at p.e. Microsoft validating issuer name registry The page contains some sample configuration. Setting this up correctly depends entirely on your situation.