My Oracle Support Banner

Integrating IDCS with ADFS failing due to certificate issue (Doc ID 2305308.1)

Last updated on JUNE 22, 2023

Applies to:

Identity Cloud Service (IDCS) - Version N/A and later
Information in this document applies to any platform.

Symptoms

The failure is recorded in the ADFS event viewer and the error is as follows:

Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS7098: The certificate identified by thumbprint '<VALUE>' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateRevocationSetting(RevocationSetting revocationSetting, ReceiverX509SigningCredentials receiverSigningCredentials, String partnerId, ServiceCertificateType certificateType)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.ValidateSignatureRequirements(SamlMessage samlMessage)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolManager.Issue(HttpSamlRequestMessage httpSamlRequestMessage, SecurityTokenElement onBehalfOf, String sessionState, String relayState, String& newSamlSession, String& samlpAuthenticationProvider, Boolean isUrlTranslationNeeded, WrappedHttpListenerContext context, Boolean isKmsiRequested)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.RequestBearerToken(WrappedHttpListenerContext context, HttpSamlRequestMessage httpSamlRequest, SecurityTokenElement onBehalfOf, String relyingPartyIdentifier, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired, String& samlpSessionState, String& samlpAuthenticationProvider)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSerializedToken(HttpSamlRequestMessage httpSamlRequest, WrappedHttpListenerContext context, String relyingPartyIdentifier, SecurityTokenElement signOnTokenElement, Boolean isKmsiRequested, Boolean isApplicationProxyTokenRequired)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.BuildSignInResponseCoreWithSecurityToken(SamlSignInContext context, SecurityToken securityToken, SecurityToken deviceSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.ProcessProtocolRequest(ProtocolContext protocolContext, PassiveProtocolHandler protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

The SAMLAssertion returned from ADFS will have saml status as <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" /> instead of Success:

<samlp:Response ID="<ID2>" Version="2.0" IssueInstant="<DATE>" Destination="<DEST>" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="<ID1>" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://saml.xyz.org/adfs/services/trust</Issuer>
<ds:Signature xmlns:ds="<ds:CanonicalizationMethod" alt="<ALT>" title="<TITLE>" name="<NAME>" target="_blank">http://www.w3.org/2000/09/xmldsig#">...</ds:Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Responder" />
</samlp:Status>
</samlp:Response>

 

Cause

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.