Troubleshooting the error ID4037 in Identify

Overview

When receiving a SAMLResponse from an upstream Identity Provider, Identify might return the following error:

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier 'SecurityKeyIdentifier ( IsReadOnly = False, Count = 1, Clause[0] = KeyNameIdentifierClause(KeyName = '....') ) '. Ensure that the SecurityTokenResolver is populated with the required key.

This error may also occur when Identify receives a SAMLRequest message using POST binding from a Service Provider or an Identity Provider.

Steps for troubleshooting

Error ID4037 typically occurs when the security key required to verify the signature cannot be resolved. This may happen due to the following reasons:

• None of the configured security token resolvers can resolve the security key in use. For example, when the KeyNameIdentifierClause is used, but the KeyName resolver is not configured.
• Misconfigurations in the SAML2 connection's setup, such as the upstream Identity Provider's assertion being signed or encrypted with a certificate that is not configured in the SAML2 Identity Provider connection in Identify.

Verify security token resolvers in the Settings page

1. Log in to Safewhere Admin.
2. Open the Settings page.
3. Check the following settings in the Security section:

• Security Token Resolver Factory: Set the value to: Safewhere.IdentityProvider.Saml2.Tokens.CustomSubResolverSecurityTokenResolverFactory, Safewhere.IdentityProvider.Saml2.
• Signing Security Token Sub Resolvers: Define the resolvers used to locate the signing certificate based on the KeyInfo in the message token from the connection configuration:
  • If the signed token includes KeyInfo with a KeyName attribute, add: Safewhere.IdentityProvider.Saml2.Tokens.SigningKeyNameSubSecurityTokenResolver.
  • If the signed token does not include KeyInfo, add: Safewhere.IdentityProvider.Saml2.Tokens.SigningOutOfBandSubSecurityTokenResolver.
• Encrypting Security Token Sub Resolvers: Define the resolvers used to locate the encrypting certificate based on the KeyInfo in the message token from the connection configuration:
  • If the encrypted token includes KeyInfo with a KeyName attribute, add: Safewhere.IdentityProvider.Saml2.Tokens.EncryptingKeyNameSubSecurityTokenResolver.
  • If the encrypted token does not include KeyInfo, add: Safewhere.IdentityProvider.Saml2.Tokens.EncryptingOutOfBandSubSecurityTokenResolver.

4. Click Save button on the Setting page.

Verify the certificate setup in the connection

1. Identify the certificates being used by the participant to sign or encrypt the message. This can be done by reviewing the certificates in the metadata of the Service Provider or upstream Identity Provider's connection.
2. Navigate to the corresponding connection in Identify.
3. Ensure the certificates configured there match those identified in step 1.
4. If error ID4037 includes KeyName information, confirm that the KeyName is correctly configured.