IDX10500: Signature validation failed
Closed this issue · 2 comments
Hi there.
I'm kinda new to OpenIdConnect and also Azure AD, so please bear with me.
We have Azure AD and also a bunch of home-made c# MVC applications we want to integrate with Azure SSO to enhance the user experience. I understand the way to do it is through OpenIdConnect and I'm using your example as a base, however, I'm running into an error message.
This is how to reproduce it on our side:
- Access the SP login page
- We are redirected to the Azure login page: https://login.microsoftonline.com/guid
- After entering a valid email and password, we are taken back to the Service url, but an error is shown:
Error?message=IDX10500: Signature validation failed. Unable to resolve SecurityKeyIdentifier: 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 2, Clause[0] = X509ThumbprintKeyIdentifierClause(Hash = 0x7BE1550560AAAB651F0ED45F1C12A34C0C26115D), Clause[1] = System.IdentityModel.Tokens.NamedKeySecurityKeyIdentifierClause )', token: '{"typ":"JWT","alg":"RS256","x5t":"e-FVBWCqq2UfDtRfHBKjTAwmEV0","kid":"e-FVBWCqq2UfDtRfHBKjTAwmEV0"}.{"aud":"f777c42c-8e8e-4a2b-80be-969a5a05212b","iss":"https://sts.windows.net/640004ec-92f8-450a-a353-ffb1dda545e2/","iat":1511296909,"nbf":1511296909,"exp":1511300809,"aio":"Y2NgYKg9eGtTsa5Hyw7lwo4PBdw/Mw0sHwjYHzj36cQcRa8gteUA","amr":["pwd"],"c_hash":"8n94-pMtmEKsz3yv8S0FlA","family_name":"theLastName","given_name":"myName","ipaddr":"192.999.999.9","name":"Myname MyLastName","nonce":"636468939940873533.YTExZjkxZjItZDU0Mi00YzhlLTkyYTctMWM0MTQ4YjAyMmE3MTI1MzBmZmEtYjAwOS00ZGZlLTg0OGMtODM1NzRjMjk5MmU3","oid":"604b0c27-1ce8-443a-a4d8-754da53f18c6","onprem_sid":"S-1-5-21-4284508976-2689446834-1949955700-10982","sub":"25loIqRTBMOHezwcXONK5BuqPuSsECH5W_hSpHEgTCI","tid":"640004ec-92f8-450a-a353-ffb1dda545e2","unique_name":"myUsername@mydomain","upn":"myUsername@mydomain","uti":"AeJDeEWY20O-vzUoEGYCAA","ver":"1.0"}'.
This is all I'm modifying from your example:
<add key="ida:ClientId" value="f777c42c-8888-8888-8888-888888888888" /> <add key="ida:Tenant" value="mytenantname.onmicrosoft.com" /> <add key="ida:AADInstance" value="https://login.microsoftonline.com/{0}" /> <add key="ida:PostLogoutRedirectUri" value="https://mycsharpmvcsite/rptest/" /> <add key="ida:RedirectUri" value="https://mycsharpmvcsite/rptest/Home/About" />
I obviously didn't include real names/ids in the text above, but am I missing something here?
Why is it that I can't use Windows Identity Foundation (WIF) to connect to Azure AD?
Your help is greatly appreciated!
I get EXACTLY the same error in trying to run this sample.
which kind of email do you use to sign-in? are you using an email from a user in the same tenant you've done the registration?
I suggest you try the app creation scripts I've added to the sample to be sure it's configured correctly.