Munk
Reputation: 331
Certificate issue on LogoutResponse from Azure AD
As a Service Provider we are using the package "ITfoxtec Identity Saml2" for handling SAML2.0. We have two integrations using AzureAD as IDP. Both have an issue on handling the LogoutResponse from Azure. This exception happens:
System.IdentityModel.Tokens.SecurityTokenValidationException: The X.509 certificate CN=Microsoft Azure Federated SSO Certificate chain building failed. The certificate that was used has a trust chain that cannot be verified. Replace the certificate or change the certificateValidationMode. A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
Only way of avoiding this issue is to set
Saml2Configuration.CertificateValidationMode = System.ServiceModel.Security.X509CertificateValidationMode.None;
But as I understand, this will deactivate all certificate validation, also when handling the AuthnRequest.
Any idea of how to circumvent this issue?
Upvotes: 2
Views: 527
Answers (1)
Anders Revsgaard
Reputation: 4334
It is probably ok to deactivate the certificate change validation. The validation only checke if the certificate has a chain known for the relying party. Meaning that the root certificate has to be known on the relying party service / server.
Upvotes: 2
Related Questions
- ITfoxtec SAML 2.0 Azure Ad Certificate Format Issue .Cer to .PFX
- Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec
- Adding Certificate .CER to SAML2 Configuration ITfoxtec.Identity.Saml2
- Cannot Logout from IdentityServer 4 through Azure SAML logout request
- InvalidSignatureException: Signature is invalid
- Configure SAML Single Sign-on in Azure with ITfoxtec SAML 2.0
- PEM_read_bio_PUBKEY failed while sending signed SAMLRequest to Auth0
- SAML binding: Error getting X509Certificate2.PrivateKey on Azure
- Identity Server does not validate SAML LogoutRequest Signature
- SAML SSO Logout fails in WSO2 Identity Server 5