Integrating IDCS with ADFS failing due to certificate issue

(Doc ID 2305308.1)

Last updated on JULY 12, 2018

Applies to:

Identity Cloud Service (IDCS) - Version N/A and later
Information in this document applies to any platform.

Symptoms

The failure is recorded in the ADFS event viewer and the error is as follows:

Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '0EFEEBD553F0F2A4CDA4D06345C24F0ED0479B68' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateRevocationSetting(RevocationSetting revocationSetting, ReceiverX509SigningCredentials receiverSigningCredentials, String partnerId, ServiceCertificateType certificateType)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

The SAMLAssertion returned from ADFS will have saml status as :  <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> instead of Success.

 <samlp:Response ID="_b95ab829-a8d7-4347-b479-a8b1f61177d6" Version="2.0" IssueInstant="2018-06-04T21:19:46.725Z" Destination="https://idcs-cx4772e007824232987c41c322681974.identity.oraclecloud.com/fed/v1/sp/sso" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="id-kGrw8qXXHN365AMCNaVmIFIv-lY-" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://saml.xyz.org/adfs/services/trust</Issuer><ds:Signature xmlns:ds="<ds:CanonicalizationMethod" alt="Click (or CTRL+Click if using Firefox) to view" title="Click (or CTRL+Click if using Firefox) to view" name="contextTextUrl_1529107063905" target="_blank">http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><ds:Reference URI="#_b95ab829-a8d7-4347-b479-a8b1f61177d6"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><ds:DigestValue>NYnY47hgQMBPKfmpfvA5K9uIiUnAIv0E6DpJw9onKhE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Oiej2znqNJLMed5FRkQAPOCuPc2USz+9++ifapaqy8psOpyscaYHWz63B/Y2WiGjrxr/lXRGBEQAhBW7gedVco0OuqqKsgZ/iss8s0uC8mCiN31BwVWMJeXS656OKJIMuPNnBh1a3tkh+nlb3ppxqyR+fX83FfYgatIpMxVaa82caHNCkO6d++QJHw7jzw8zv+CCHkmaCYbNINPV2dLf05WwcWNjIdGWDShfIcroUriOjciptw4LnQmL5Kpxa7qpj/dS+08iFGSboGNcrxscHRw/BPFYfR3b1ZjCEI97cIMLLRBVR6rAHNx59Or0qcmmFWUyCJtHuwFCyL1EDZSBPQ==</ds:SignatureValue><KeyInfo xmlns="MIIC0jCCAbqgAwIBAgIQbMR+5rV/7J1DCnvxjv1h3zANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExpBREZTIFNpZ25pbmcgLSBzYW1sLmFoLm9yZzAeFw0xNjAzMzEwMjQzMzBaFw0xOTAzMzEwMjQzMzBaMCUxIzAhBgNVBAMTGkFERlMgU2lnbmluZyAtIHNhbWwuYWgub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2wvMHE30xQUFaVXb5YY98FR5+E8Kk09uJI5qnnfWfeZUCbdU1EnNv4VqQggdX5/mIgfK6h2mI2bz3C2/0aANqYwxPFHtF8RI2GSdlpInV+NXc8jfQqayHfnw7xycoubYChBFJP3A/cS1Rj+Q7FBfC1quCc5sFGc23WaUe5wxmm4v//5G5T6VSh88YPNVTkuVkGHtDNQ4s6twLmemZmwXgX//1nEv7LzUo2aMIJhAcklBn0BXLO6bZYQldTGoRBHZFGWcLBpM6vo1iQfXD7o6A8iYSbs9rUj3SV3ctm4m8h4ksVsxWfIYkpXC696z0TIWyR0SAvxBt9A0QCe4i2oOaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAOPRo2ryzl/AJ8DrrILmapz4/zaTEyoj9+SpVDabUhxo16lc7ihv06f5nTzsM9I8ZNUnUgVwuSU5WVH2lnAVBk6CgpwbPX2fM8u9phUikcyR5t7srp4uF5TqKExUaFKtax3ZPHa82HxhlJ8Y+bT2BsF+zym633MYwDEhjcIGcXd5YpkwT/Qq3I/2O6j9O6d6RZ1cgK2CpKo47rVJEnQcBGoWJi3vtCi2Y5rs9IYArgifxOUCNoJmLoWeNousxqvNMrTERqN5tzOHDM1iThwjPvhfxJ/GaQh51HEHq2dmsZZJKmtueR8lgMVegnd/L3lyxNmJt6CLOvbD4Ae8fI8DNA<samlp:StatusCode" alt="Click (or CTRL+Click if using Firefox) to view" title="Click (or CTRL+Click if using Firefox) to view" name="contextTextUrl_1529107063907" target="_blank">http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIC0jCCAbqgAwIBAgIQbMR+5rV/7J1DCnvxjv1h3zANBgkqhkiG9w0BAQsFADAlMSMwIQYDVQQDExpBREZTIFNpZ25pbmcgLSBzYW1sLmFoLm9yZzAeFw0xNjAzMzEwMjQzMzBaFw0xOTAzMzEwMjQzMzBaMCUxIzAhBgNVBAMTGkFERlMgU2lnbmluZyAtIHNhbWwuYWgub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2wvMHE30xQUFaVXb5YY98FR5+E8Kk09uJI5qnnfWfeZUCbdU1EnNv4VqQggdX5/mIgfK6h2mI2bz3C2/0aANqYwxPFHtF8RI2GSdlpInV+NXc8jfQqayHfnw7xycoubYChBFJP3A/cS1Rj+Q7FBfC1quCc5sFGc23WaUe5wxmm4v//5G5T6VSh88YPNVTkuVkGHtDNQ4s6twLmemZmwXgX//1nEv7LzUo2aMIJhAcklBn0BXLO6bZYQldTGoRBHZFGWcLBpM6vo1iQfXD7o6A8iYSbs9rUj3SV3ctm4m8h4ksVsxWfIYkpXC696z0TIWyR0SAvxBt9A0QCe4i2oOaQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAOPRo2ryzl/AJ8DrrILmapz4/zaTEyoj9+SpVDabUhxo16lc7ihv06f5nTzsM9I8ZNUnUgVwuSU5WVH2lnAVBk6CgpwbPX2fM8u9phUikcyR5t7srp4uF5TqKExUaFKtax3ZPHa82HxhlJ8Y+bT2BsF+zym633MYwDEhjcIGcXd5YpkwT/Qq3I/2O6j9O6d6RZ1cgK2CpKo47rVJEnQcBGoWJi3vtCi2Y5rs9IYArgifxOUCNoJmLoWeNousxqvNMrTERqN5tzOHDM1iThwjPvhfxJ/GaQh51HEHq2dmsZZJKmtueR8lgMVegnd/L3lyxNmJt6CLOvbD4Ae8fI8DNA</ds:X509Certificate></ds:X509Data></KeyInfo></ds:Signature><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /></samlp:Status></samlp:Response>.

 

Cause

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms