SharePoint and ADFS Configuration Error – ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken

Posted on September 5, 2013 by Nik Patel

Yesterday, while configuring my SharePoint 2013 farm with ADFS v2 farm, I came across peculiar issue which I haven’t seen before. After successful initial configuration of trusted connection between SharePoint and ADFS, while browsing to the SharePoint Site, ADFS responded with error – ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver. To handle advanced token resolution requirements, extend Saml11TokenSerializer and override ReadToken.

ADFS ID4220 Error

Upon looking at the error at first glace, it seem like certificate issue. My first instinct was to run Get-SPTrustedIdentityTokenIssuer PowerShell command on SharePoint server and look at the Trusted Identity Token Issuer to see if certificate associated was correct version of ADFS Token signing certificate. As it turned out, I have accidentally exported ADFS Communication Certificate for ADFS Login URL instead of ADFS Token Signing Certificate.

As you can see here, Get-SPTrustedIdentityTokenIssuer shows it’s using ADFS Communication certificate (see how it matches serial number in TokenIssuer with ADFS cert in Certificates store)

ADFS Token Issuer

ADFS Cert

Although this may seems like accidental issue in my VM environment, this may be more common error in real world. Since more often or not, both ADFS and SharePoint teams are different teams and would work together to configure trusted connection between ADFS and SharePoint, there are possibility of exporting wrong certs from ADFS which can lead to never ending troubleshooting steps.

If you ever come across similar situation, export the correct version of ADFS Token Signing Certificate and rerun the following command on SharePoint Servers using SharePoint Install account to associate correct version of ADFS Signing certificate with SharePoint TrustedIdentityTokenIssuer and it should resolve the issue.

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“C:\Host\ADFS Signing.cer”)
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

To validate whether you have correct version of certificate associated with above command, rerun the Get-SPTrustedIdentityTokenIssuer and it should display correct version of the certificate (see how it matches serial number in TokenIssuer with ADFS cert in Certificates store).

ADFS Signing Token Issuer

ADFS Signing Cert

After associating correct version of ADFS Token Signing certificate with SharePoint, I was able to browse SharePoint site and log in through ADFS with charm. Hope this would help.

This entry was posted in Uncategorized. Bookmark the permalink.

1 Response to SharePoint and ADFS Configuration Error – ID4220: The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken

  1. Pingback: How To Fix Error 6 The Handle Is Invalid Sharepoint Search Errors - Windows Vista, Windows 7 & 8

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s