Error upon SSO while initiating SP SAML

Description

Upon attempting to login to a website like WebEx while using SP initiated SAML request, you get this error:

Error: at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer) at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle) at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair() at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey() at MFC.WebApp.SecureAuth.SAML20SPInit.CreateSAMLResponse(AuthnRequest authnRequest, String sUser) at MFC.WebApp.SecureAuth.SAML20SPInit.Page_Load(Object sender, EventArgs e)

Resolution

1. The certificate is mismatched between the Service Provider and the SecureAuth realm
2. The security in this certificate does not allow the group “Network Service” to read the certificate.
3. When there is an environment with 2 or more SecureAuth appliances:
   1. The Load Balancer is not set to “persistent” load balancing, so the traffic is flip flopping between server 1 and 2 and getting confused
   2. The Forms Auth/SSO Token is not set up properly on the SecureAuth realm level
   3. One of the servers does not have the correct certificate selected for that realm