Home » Troubleshooting » SharePoint 2013 mystery error ID4220: The SAML Assertion is either not signed …

SharePoint 2013 mystery error ID4220: The SAML Assertion is either not signed …

While implementing a fresh SharePoint 2013 claims based authentication site using ADFS 2.0 I ran across this error.

ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.

Doing a search Bing/Google search turned up precious little information on this error and it mostly pertained to customer providers, which at this point were not being implemented on the site as this was using the out of the box provider. Going through and validating rules and URLs turned up previous little. It did sound a lot like a certificate error though, so carefully looking into the certificates used showed that I had exported and imported the wrong certificate on the STS. I had grabbed the token decrypting certificate instead of the token signing certificate. This is easily corrected. Export the certificate to a DER encoded file and then use the following commands to update your STS with the correct certificate.

$certPath = “C:\certs\tokensigner.cer”

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“$certPath”)

New-SPTrustedRootAuthority -Name “Token Signing Certificate” -Certificate $cert

$sts = Get-SPTrustedIdentityTokenIssuer

$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

wordpress visitor counter

RSS Subscriptions

Contact Me

%d bloggers like this: