This past week I received this error in one of our lower environments when trying to log on.
The issue was that the certificate stored on the on-premises box hosting ADFS was configured to auto-regenerate 2 weeks before expiring. Thus, while we were aware that the certs were expiring soon, it caught us off guard when the Sign In page threw that error 2 weeks early.
To resolve the issue, the metadata in Azure ACS needs to be updated to use the new certificate information. Doing so is extremely simple.
To refresh the metadata, perform the following steps:
- Navigate to the Azure Management Portal
- Select "Active Directory" from the menu on the left hand side
- Select "Access Control Namespaces" from the menu at the top
- Select "Manage" from the bottom of the screen. This should open up ACS
- Select "Identity Providers" from the menu on the left hand side
- Select the identity provider of interest
- Input the url of the metadata. It should be stored on the on-premises server.
- At the bottom of the page, select the check box to "Reimport data from WS-Federation metadata URL upon save
- Click "Save"
This should reach out the server and import the metadata for the new cert, which will now show up on the page.
When we experienced this issue, importing the metadata fixed the SAML token but we then started experiencing a second error, shown below.
When we remoted onto the on-premises ADFS proxy, we saw this in the logs:
It turns out that "error occurred when verifying security for this message" error is fairly generic. When searching Stackoverflow and other sites, lots of people got this when the server clock was out of sync with the client machine. In our case, however, this wasn't an issue.
We spent several hours diagnosing the issue until we just bounced the ADFS proxy boxes. I don't know what exactly this changed; I guess it's just the old addage of "When in doubt, reboot."