How to resolve the error ID4022 when a SAMLResponse's signature or encrypted data does not have KeyInfo element

Question:

Identify receives a SAMLResponse message from an upstream identity provider that either does not have KeyInfo elements or KeyInfo elements do not directly tell key is used. For example:

When processing such message, Identify may return error message: "ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key".

Answer: In order to have Identify process that type of messages, you will need to do a few steps. The first step applies when you are using Identify version before 5.4. From 5.4, we fixed the issue so you no longer need to do it and instead can jump straight to step 2:

Step 1: go to C:\Program Files\Safewhere\Identify\Tenants\tenant_folder\runtime\WindsorPathResolverPipeline.config and remove the following line:

<component id="UnsolicitedResponseRequestHandler" lifestyle="Singleton" service="Safewhere.IdentityProvider.RuntimeModel.IRequestHandler, Safewhere.IdentityProvider.RuntimeModel" type="Safewhere.IdentityProvider.Saml2.UnsolicitedResponseRequestHandler, Safewhere.IdentityProvider.Saml2">

Here is a screenshot of where it is:

Step 2: login to the Safewhere Admin, open Settings page and update the following settings:

• Security token resolver factory: choose the option "Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2".
• Signing security token sub resolvers: select all items.
• Encrypting security token sub resolvers: select all items.

Step 3: reset the application pool of the Identify instance that you just modify.