SAML authentication fails with PingFed IdP with error "There was a failure with the mapped account"

book

Article ID: CTX492471

calendar_today

Updated On:

Description

Users get the error: "There was a failure with the mapped account" when attempt to login to StoreFront URL after configuring SAML authentication on the StoreFront server with PingFed IdP

When checked the Citrix Delivery Services event logs from SF, we see below error:

The security token failed validation.
System.IdentityModel.SignatureVerificationFailedException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier
    (
    IsReadOnly = False,
    Count = 1,
    Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause
    )
'. Ensure that the SecurityTokenResolver is populated with the required key.
   at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()
   at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()
   at System.IdentityModel.EnvelopedSignatureReader.Read()
   at System.Xml.XmlReader.ReadEndElement()
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)
   at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)
   at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)
   at Citrix.DeliveryServices.Authentication.Saml20.SamlExtensions.GetSecurityToken(String assertion, SecurityTokenHandlerCollection securityTokenHandlers)

   at Citrix.DeliveryServices.Authentication.Saml20.SamlManager.ProcessSamlResponse(String base64EncodedResponse, Boolean compressed)

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

Request IDP to include the section with the public key into the SAML response after which SAML authentication should succeed.
Refer below link to update the assertion and Metadata file as needed - https://docs.citrix.com/en-us/storefront/current-release/sdk-overview.html#example-list-the-metadata-and-acs-endpoints-for-a-specified-store-for-saml-authentication

Problem Cause

The Idp PingFederate does not include a section with the public key into the SAML response causing this behaviour

Additional Information

https://www.w3.org/TR/xmldsig-core/#sec-KeyInfo

Was this article helpful?

thumb_up Yes

thumb_down No

Welcome to "KB Articles"