SAML Error After Authentication

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • Applicable SecureAuth IdP Versions: All Versions

    Description: User receives the following web page error message after going through the logon / authentication process:

    Error: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at MFC.WebApp.SecureAuth.SAML20SPInit.SendSAMLResponse(SAMLResponse samlResponse, String relayState, String assertionConsumerServiceURL, String userID) at MFC.WebApp.SecureAuth.SAML20SPInit.Page_Load(Object sender, EventArgs e)

    Possible Cause 1

    Network Service (and Authenticated Users if using SSO / IWA) has not been granted Read access to the Private Keys of the X509 certificate used to sign the SAML assertion.

    Steps to Solve Cause 1:

    1. Go to the Post Authentication tab of the realm for which the workflow in question has been configured and look for the "Signing Cert Serial Number" field.

    2. Click on the "Select Certificate" link next to it, and make note of the selected certificate's following values:

    • Issued To
    • Issued By
    • To


    3. Open the cert console, navigate to Certificates (Local Computer) -> Personal -> Certificates, and right-click on the certificate whose Issued To, Issued By, and Expiration Date match the values noted in Step 2.

    4. In the sub-menu that opens, click on All Tasks -> Manage Private Keys...

    5. In the Permissions window that opens, click on the Add... button

    6. In the "Select Users, Computers, Service Accounts, or Groups" window that opens, type in "Network Service," then click the Check Names button. "Network Service" should be underlined, indicating that you have selected the right account.

    7. Click OK to close this window.

    8. With NETWORK SERVICE selected, uncheck the checkbox next to "Full Control" permission, leaving "Read" as the only permission checked. 

    If using SSO: Repeat Steps 5 thru 8 to add "Authenticated Users"

    9. Click OK once more to close the Permissions window.


    Following these steps should fix the error.


    Possible Cause 2

    Consider an environment which has:

    • Multiple SecureAuth appliances Load Balanced
    • Windows Desktop SSO is expected, but not working for some people, intermittently.For people who have errors, they get the same error in the Description above.

    Steps to Solve Cause 2:

    For every SecureAuth server, for the desired realm in question, make sure that in the Post Authentication -> Forms Auth/SSO Token -> Machine Key are matching across all servers.


    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.


    0 out of 0 found this helpful



    Please sign in to leave a comment.