Receiving an SSO response from a partner identity provider has failed

Megavardhini · November 21, 2024, 10:40am

Hi Team,

I’m getting the below exception on AssertionConsumerService

Internal.Cryptography.CryptoThrowHelper+WindowsCryptographicException: The profile for the user is a temporary profile.
at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate…ctor(ReadOnlySpan1 data) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.GetCachedCertificateAsync(String key) at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword) at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList1 certificates, CertificateUse certificateUse)
at ComponentSpace.Saml2.Certificates.CertificateManager.GetLocalServiceProviderCertificatesAsync(LocalServiceProviderConfiguration localServiceProviderConfiguration, PartnerIdentityProviderConfiguration partnerIdentityProviderConfiguration, CertificateUse certificateUse)
at ComponentSpace.Saml2.SamlServiceProvider.GetLocalServiceProviderEncryptionCertificatesAsync(Boolean precondition)
at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()
2024-11-21 10:28:40.134 +01:00 [ERR] Exception in AssertionConsumerService: AssertionConsumerService Message:The profile for the user is a temporary profile. StackTrace: at Internal.Cryptography.Pal.CertificatePal.FilterPFXStore(ReadOnlySpan1 rawData, SafePasswordHandle password, PfxCertStoreFlags pfxCertStoreFlags) at Internal.Cryptography.Pal.CertificatePal.FromBlobOrFile(ReadOnlySpan1 rawData, String fileName, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate…ctor(ReadOnlySpan1 data) at System.Security.Cryptography.X509Certificates.X509Certificate2..ctor(Byte[] rawData) at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.GetCachedCertificateAsync(String key) at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword) at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList1 certificates, CertificateUse certificateUse)
at ComponentSpace.Saml2.Certificates.CertificateManager.GetLocalServiceProviderCertificatesAsync(LocalServiceProviderConfiguration localServiceProviderConfiguration, PartnerIdentityProviderConfiguration partnerIdentityProviderConfiguration, CertificateUse certificateUse)
at ComponentSpace.Saml2.SamlServiceProvider.GetLocalServiceProviderEncryptionCertificatesAsync(Boolean precondition)
at ComponentSpace.Saml2.SamlServiceProvider.DecryptSamlAssertionAsync(AssertionListItem assertionListItem)
at ComponentSpace.Saml2.SamlServiceProvider.GetSamlAssertionAsync(SamlResponse samlResponse)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

When I clear the cache using Ctrl + Shift + Delete and then try to access the website, I encounter an error. However, if I restart the server and access the website afterward, it works. Unfortunately, clearing the cache again leads to the same error.

Please do needful asap.

ComponentSpace · November 22, 2024, 12:04am

It looks like there’s an issue loading the PFX file used to decrypt the SAML assertion. We use the X509Certificate2 class to load PFX files.

Please take a look at:

Make sure the file permissions are set correctly. The account under which the application runs must have read access to the PFX file and create permission for the private key container folder.

If running under IIS, check that Load User Profile is set to true for the application pool under which your application is running.

If there’s still an issue, please enable SAML trace and send the generated log file as an email attachment to support@componentspace.com.