How to resolve the error ID4022 when a SAMLResponse’s signature or encrypted data doesn’t have KeyInfo element

Question:

Identify receives a SAMLResponse message from an upstream Identity Provider that either doesn’t have KeyInfo elements or KeyInfo elements don’t directly tell key is used. For example:

Screenshot_2

When processing such message, Identify may return error message:  ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.

Screenshot_3

Answer:

In order to have Identify process that type of messages, you will need to do a few steps. The first step applies when you are using Identify version before 5.4. From 5.4, we fixed the issue so you no longer need to do it and instead can jump straight to step 2:
1. Go to C:\Program Files\Safewhere\Identify\Tenants\[YourIdentify]\runtime\WindsorPathResolverPipeline.config and remove the following line:

here is a screenshot of where it is:

Screenshot_7

2. Login to the Identify Admin, open System setup and update the following settings:
  • Security token resolver factory: Choose the option: “Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2”.
  • Signing security token sub resolvers: Choose Select All.
  • Encrypting security token sub resolvers: Choose Select All.

Screenshot_8

3. Reset the application pool of the Identify instance that you just modify.