Office 365 SSO

%3CLINGO-SUB%20id%3D%22lingo-sub-298273%22%20slang%3D%22en-US%22%3EOffice%20365%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298273%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20do%20SSO%20with%20Office%20365%20using%20thirds%20Party%20IDP.%20After%20successfully%20authenticated%20from%20IDP%20got%20below%20error%26nbsp%3B.%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22hljs-attribute%22%3EPlease%20find%20%3CSPAN%3Eerror%20for%20POST%20request%3C%2FSPAN%3E%3A-%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22hljs-attribute%22%3EPOST%20%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSTRONG%3E%3CSPAN%20class%3D%22hljs-attribute%22%3Eerror%3C%2FSPAN%3E%3C%2FSTRONG%3E%3A%20invalid_grant%3C%2FP%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20class%3D%22hljs-attribute%22%3Eerror_description%3C%2FSPAN%3E%3C%2FSTRONG%3E%3A%20AADSTS70002%3A%20Error%20validating%20credentials.%20AADSTS50008%3A%20Unable%20to%20verify%20token%20signature.%20The%20signing%20key%20identifier%20does%20not%20match%20any%20valid%20registered%20keys.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20found%26nbsp%3Babove%20error%26nbsp%3Bthrough%20SAML%20tracer%20plugin%20in%20Firefox.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-298273%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298646%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298646%22%20slang%3D%22en-US%22%3E%3CP%3EBy%20token%20do%20you%20mean%20SAML%20token%20or%20Microsoft%20token%20signing%3F%20Under%20ADFS%2C%26nbsp%3B%20in%20the%20section%20that%20shows%20token%20signing%20certificate%20I%20see%20some%20other%20certificate%20than%20one%20in%20IdP%20but%20when%20I%20try%20to%20update%20it%20I%20see%20a%20warning%20message%20that%20basically%20says%20automatic%20rollover%20of%20certificate%20feature%20would%20no%20longer%20work%20if%20I%20choose%20to%20put%20my%20own%20certificate.%20However%2C%20I%20have%20updated%20IdP%20certificate%20in%20ADFS%20using%26nbsp%3BSet-MsolDomainAuthentication%20and%20when%20I%20retrieve%20this%20certificate%20using%26nbsp%3BGet-MsolDomainFederationSettings%20-DomainName%26nbsp%3Bdomain.com%20I%20see%20SigningCertificate%20identical%20to%20signing%20certificate%20in%20IdP.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-298362%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20SSO%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-298362%22%20slang%3D%22en-US%22%3EHi%2C%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20make%20sure%20token%20signing%20certificate%20on%20the%20IDP%20and%20O365%20are%20matches%20if%20not%20please%20update%20%2C%20it%20will%20work%3CBR%20%2F%3E%3CBR%20%2F%3ESteps%20to%20follow...%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22http%3A%2F%2Fedoras.sk%2Fsso-issue-with-aadsts50008-unable-to-verify-token-signature%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fedoras.sk%2Fsso-issue-with-aadsts50008-unable-to-verify-token-signature%2F%3C%2FA%3E%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

I want to do SSO with Office 365 using thirds Party IDP. After successfully authenticated from IDP got below error .

Please find error for POST request:-

POST error: invalid_grant

error_description: AADSTS70002: Error validating credentials. AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys.

 

I have found above error through SAML tracer plugin in Firefox.

 

 

 

 

2 Replies
Highlighted
Hi,

Please make sure token signing certificate on the IDP and O365 are matches if not please update , it will work

Steps to follow...

http://edoras.sk/sso-issue-with-aadsts50008-unable-to-verify-token-signature/
Highlighted

By token do you mean SAML token or Microsoft token signing? Under ADFS,  in the section that shows token signing certificate I see some other certificate than one in IdP but when I try to update it I see a warning message that basically says automatic rollover of certificate feature would no longer work if I choose to put my own certificate. However, I have updated IdP certificate in ADFS using Set-MsolDomainAuthentication and when I retrieve this certificate using Get-MsolDomainFederationSettings -DomainName domain.com I see SigningCertificate identical to signing certificate in IdP.