SamlCertificateException ... The X.509 certificate could not be loaded from the file ... failed to validate

We are testing the latest .Net Core SSO component to upgrade from an old ASP.NET version.

Loading our PFX file is throwing an error:

2022-09-01 16:31:43,779 ERROR ComponentSpace.Saml2.SamlServiceProvider.MoveNext [0] - MESSAGE: Initiation of SSO to the partner identity provider has failed.

ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate could not be loaded from the file C:\inetpub\wwwroot\PBI\wwwroot\Certificates\GraspDataSSO.pfx.
—> ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate with subject name E=, CN=, OU=, O=, L=*****, S=CA, C=US, serial number ***** and thumbprint ***** failed to validate.
at ComponentSpace.Saml2.Certificates.CertificateLoader.ValidateCertificate(X509Certificate2 x509Certificate)
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword)
— End of inner exception stack trace —
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword)
at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromFileAsync(String certificateFile, String certificatePassword)
at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList certificates, CertificateUse certificateUse)
at ComponentSpace.Saml2.Certificates.CertificateManager.GetLocalServiceProviderCertificatesAsync(LocalServiceProviderConfiguration localServiceProviderConfiguration, PartnerIdentityProviderConfiguration partnerIdentityProviderConfiguration, CertificateUse certificateUse)
at ComponentSpace.Saml2.SamlServiceProvider.GetLocalProviderSignatureCertificatesAsync(Boolean precondition)
at ComponentSpace.Saml2.SamlServiceProvider.SendAuthnRequestAsync(XmlElement authnRequestElement, String relayState, String singleSignOnServiceUrl)
at ComponentSpace.Saml2.SamlServiceProvider.InitiateSsoAsync(String partnerName, String relayState, ISsoOptions ssoOptions)

The PFX loads with the old SSO component. Windows recognizes it as a valid certificate. I have tried using a .CER export of the same certificate and I get the same error.

Can you recommend any things for me to try to help me figure out why the file “failed to validate”? What is it validating against?

Thanks
Courtney

Hi Courtney,

By default we check whether the certificate has expired.

This check can be disabled at application start-up as follows.


using ComponentSpace.Saml2.Certificates;


services.Configure(options =>
{
options.EnableNotAfterCheck = false;
});

// Add SAML SSO services.
services.AddSaml(Configuration.GetSection(“SAML”));


[quote]
ComponentSpace - 9/1/2022
Hi Courtney,

By default we check whether the certificate has expired.

This check can be disabled at application start-up as follows.


using ComponentSpace.Saml2.Certificates;


services.Configure(options =>
{
options.EnableNotAfterCheck = false;
});

// Add SAML SSO services.
services.AddSaml(Configuration.GetSection("SAML"));


[/quote]

Thank you! That fixed the problem!

Our certificate was expired but as it was working in our older version of the ASP.NET SSO control, we didn't think it was the issue with the newer .Net Core version. I guess maybe the default changed since our older version (or we had turned it off on the older version and forgotten about it). I had looked for some way to possible turn off validation but I wasn't able to come up with the fix you suggested. Now we can go ahead and upgrade our control!!

Courtney


Hi Courtney,

We don’t have this feature in the older version you were using which is why it wasn’t an issue.