Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec

Question

I am using Azure AD as ADFS and I get response from it in the ACS route, however I am getting:

AuthenticationException: Invalid X509 certificate chain. Certificate name:'CN=accounts.accesscontrol.windows.net' and thumbprint:'9CEA376******251D1F'. Chain Status:'A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.'..

When running: binding.Unbind(httpRequest, saml2AuthnResponse); Note that same Saml2Configuration was done in the request and in the response.

any idea what could be the problem?

score 2 · Accepted Answer · answered Jun 30 '22 at 08:26

2

For the chain to validate successfully. The certificates root certificate has to be installed on the machine as a trusted root certificate. This is not possible in e.g. a Azure App Service.

The check kan be disabled by configuring "CertificateValidationMode": "None" in appsettings.json. Sample code: https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/test/TestWebAppCore/appsettings.json#L19

answered Jun 30 '22 at 08:26

Anders Revsgaard

3,636
1
9
25

1

Can you please tell me what does the .unbind() do? – Shadib Jun 30 '22 at 10:03
The unbind do the same as read and then it validates the received SAML 2.0 request / response including signatur validation. – Anders Revsgaard Jun 30 '22 at 11:19

Azure AD: getting Invalid X509 certificate chain when Unbind with itfoxtec

1 Answers1

Linked