![Client Assertion Contains Invalid Signature Client Assertion Contains Invalid Signature](https://i.stack.imgur.com/PqnMC.png)
![Client Assertion Contains Invalid Signature Client Assertion Contains Invalid Signature](https://user-images.githubusercontent.com/40852965/83144408-e9a9f600-a110-11ea-90c1-feb08a73aa48.png)
Use to decode the access token assertion and look at the “aud” (audience) claim to see if it’s for the calling web API 1 Take a Fiddler trace to see what the parameters used are.Root cause: the client id used is either not valid or does not exist in the tenant. HTTP 500 error : AADSTS50000: There was an error issuing a token. Root cause: Web API 1 is a SAML Application (check the Enterprise Application blade to see if Single sign-on is enabled and there is a SAML signing Certificate attached). [Reason – The key was not found., Thumbprint of key used by client: ‘B25930C…. HTTP 400 error: AADSTS50013: Assertion failed signature validation. Root cause: The access token used in the assertion is for Microsoft Graph resource ( ) [Reason – The provided signature value did not match the expected signature value., Thumbprint of key used by client:… The GUID in this error is an Azure AD Graph resource. Root cause: The access token used in the assertion is for a different application / resource instead of for the calling app Web API 1. HTTP 400 error: AADSTS500131: Assertion audience does not match the Client app presenting the assertion. I have seen a few AADSTS error returned for this flow when either the client_id or the assertion parameters used are not for the calling application (Web API 1). Common pitfall customers run into when using the OBO flow Note that the OBO parameters client_id and the assertion (access token) are for the calling application (Web API 1) in this token exchange request. It is extremely important to use the correct parameter in the OBO flow. Frame 15 is the request to the token endpoint to get an access token for Web API 1 Let’s look at an OBO end to end traffic in Fiddler:įrame 1 – 14 below shows the user navigates to the web site and is redirected to Azure AD to log in.
![Client Assertion Contains Invalid Signature Client Assertion Contains Invalid Signature](https://kb.igel.com/igellinux/files/en/4237737/4237740/1/1530204991854/10202861.png)
This is Application ID URI or Application ID of Web API 2 This is the access token issued in step 2 above I want to call out a few highlighted parameters as their significance will become more obvious a little bit later. Let’s look at the parameters used in an OBO flow at the V1 endpoint below. Web API 1 uses the new access token to call Web API 2.The exchanged token is still issued on behalf of the original sign in user and it has delegated permission. What happens in this step is that Web API 1 uses the OBO flow to exchange its access token for another resource’s access token. Web API 1 in turn needs to call a downstream Web API 2 so it uses its access token (in step 2 above) to request an access token for Web API 2.Client application then calls Web API 1 with the issued access token.A client application (could be a SPA app, a front-end Web Application, or a native application) signs a user into Azure AD and request a delegated access token for Web API 1.Both Web API 1 and Web API 2 are protected by Azure AD. The OBO flow is used in the following scenario. This is documented at both the Microsoft Identity Platform V1 and V2 endpoint. Add the line: JVM_SUPPORT_RECOMMENDED_ARGS="-Dfile.encoding=utf-8" and save it.Ĭhoose the cog icon, then choose General Configuration under Confluence AdministrationĬhoose General Configuration in the left-hand panel.Įnter the "UTF-8" in the text box next to Encoding.Microsoft Azure Active Directory supports an OAuth2 protocol extension called On-Behalf-Of flow (OBO flow).On the /bin (or /bin for JIRA WAR installations) directory, open the setenv.sh(Linux)/setenv.bat(Windows) file.As solution you can change your encoding back to the standard value "UTF-8" with following steps: With the wrong system encoding the certificate cant be decoded properly. For Confluence Data Center / Server : Choose the cog icon → General configuration → Encoding.For JIRA Data Center / Server: Choose the cog icon → System → System info → System Encoding.You can check your System Encoding in the following way: It could be that your JIRA / Confluence system is using a wrong encoding e.g.Please check if the right certificate from your Identity Provider is included in the "IdP Token Signing Certificate" field from your plugin configuration. The most occurring reason for this error is because the wrong token signing certificate is used.Processing saml failed: : Neither Response or Assertion contains a valid signature Processing saml failed: : Assertion signature validation failed If I am returned from the Identitiy provider to JIRA / Confluence I get the error message: In the SAML Single Sign process i will be redirected to the Identity Provider and successful authenticated. I am using JIRA Data Center / Server or Confluence Data Center / Server.