Yesterday, while configuring my SharePoint 2013 farm with ADFS v2 farm, I came across peculiar issue which I haven’t seen before. After successful initial configuration of trusted connection between SharePoint and ADFS, while browsing to the SharePoint Site, ADFS responded with error – ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.
Upon looking at the error at first glace, it seem like certificate issue. My first instinct was to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate. As it turned out, I have accidentally exported ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate.
As you can see here, Get-SPTrustedIdentityTokenIssuer shows it’s using ADFS Communication certificate (see how it matches serial number in TokenIssuer with ADFS cert in Certificates store)
Although this may seems like accidental issue in my VM environment, this may be more common error in real world. Since more often or not, both ADFS and SharePoint teams are different teams and would work together to configure trusted connection between ADFS and SharePoint, there are possibility of exporting wrong certs from ADFS which can lead to never ending troubleshooting steps.
If you ever come across similar situation, export the correct version of ADFS Token Signing Certificate and rerun the following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.
$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert
To validate whether you have correct version of certificate associated with above command, rerun the Get-SPTrustedIdentityTokenIssuer and it should display correct version of the certificate (see how it matches serial number in TokenIssuer with ADFS cert in Certificates store).
After associating correct version of ADFS Token Signing certificate with SharePoint, I was able to browse SharePoint site and log in through ADFS with charm. Hope this would help.