Common configuration errors for saml2.0
Certificate find error
The cause of this error is the formatting of the following value in web.config:
<SigningCertificate findValue="CN=*.presentations2go.eu,OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
In the highlighted text you see there is no space character between the comma and OU. It should be there.
<SigningCertificate findValue="CN=*.presentations2go.eu, OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
Error after login
This error means the certificate cannot be read by the application.
To solve this, you need to give NetworkService account access to the private key (See 2 above).
The signature of the incoming message is invalid
This error is caused by the saml server (IdP) adding a signature in their metadata.
This can be solved either by making sure the signature is in the metadata or by ignoring the SignatureCheck.
To ignore the signaturecheck change web.config <IDPEndPoints> element setting:
<add id="https://My.SamlServer.com/authentication/idp/metadata">
to
<add id=" https://My.SamlServer.com" omitAssertionSignatureCheck="true">
Subject still cannot be found
In some situations, the certificate cannot be read using the x509FindType="FindBySubjectDistinguishedName". In that case you can use another method to find the certificate for example by using x509FindType= x509FindType="FindByThumbprint". Of course, you will need to supply the thumbprint as the SigningCertificate findValue