Why does `IdSrv` throw `EncryptedTokenDecryptionFailedException` exception on WS Federation response POST to issue/hrd?

Question

I'm trying to setup federated authentication using Thinktecture.IdentityServer V. 2.

I have a web site set up as a relying party, and the site is set up to defer authentication to /issue/hrd at the identity server. This seems to work as expected.

Furthermore I have added an Identity Provider (an ADFS) to the identity server through the IdSrv administration pages. The identity provider is configured with

• an identifier
• a display name
• it's enabled
• home realm discovery is enabled
• WSStar is chosen as the type
• the WS-Federation endpoint is filled in
• the issuer thumbprint is filled in

The identity provider is configured to trust my identity server.

When the web site (RP) needs authentication it redirects to identity server which further redirects to the identity provider and I get the login screen of the identity provider and am able to login, but the HTTP POST back to /issue/hrd on the identity server fails with the following exception:

ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key. 
  Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

 Exception Details: System.IdentityModel.Tokens.EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.

Source Error: 


 An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 



[EncryptedTokenDecryptionFailedException: ID4022: The key needed to decrypt the encrypted security token could not be resolved. Ensure that the SecurityTokenResolver is populated with the required key.]
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.CreatePlaintextReaderFromEncryptedData(XmlDictionaryReader reader, SecurityTokenResolver serviceTokenResolver, SecurityTokenSerializer keyInfoSerializer, Collection`1 clauses, EncryptingCredentials& encryptingCredentials) +1042914
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader) +422
   System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader) +71
   System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader) +114
   System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +356

[SecurityTokenException: ID1044: An encrypted security token was received at the relying party which could not be decrypted. Configure the relying party with a suitable decryption certificate. Current relying party decryption certificate info:
No Certificate Configured]
   System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration) +1218
   Thinktecture.IdentityServer.Protocols.WSFederation.HrdController.ProcessWSFedResponse() +218
   lambda_method(Closure , ControllerBase , Object[] ) +79
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +261
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +39
   System.Web.Mvc.Async.<>c__DisplayClass42.<BeginInvokeSynchronousActionMethod>b__41() +34
   System.Web.Mvc.Async.<>c__DisplayClass39.<BeginInvokeActionMethodWithFilters>b__33() +124
   System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035
   System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035
   System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035
   System.Web.Mvc.Async.<>c__DisplayClass4f.<InvokeActionMethodFilterAsynchronously>b__49() +839035
   System.Web.Mvc.Async.<>c__DisplayClass37.<BeginInvokeActionMethodWithFilters>b__36(IAsyncResult asyncResult) +15
   System.Web.Mvc.Async.<>c__DisplayClass2a.<BeginInvokeAction>b__20() +33
   System.Web.Mvc.Async.<>c__DisplayClass25.<BeginInvokeAction>b__22(IAsyncResult asyncResult) +839620
   System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__18(IAsyncResult asyncResult) +28
   System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +65
   System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +51
   System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +42
   System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +15
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +51
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +606
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +288



--------------------------------------------------------------------------------

Answer 1

This looks like you configured your external IdP for token encryption.

We don't do token decryption right now. If that is important to you - open an issue on github.

Answer 2

probably your forget configure in your client in microsoft.identityModel/service config section you certificate for decript the encripted cookie:

  <serviceCertificate>
            <certificateReference
                        findValue="{Thumbprint}"
                   storeLocation="LocalMachine" storeName="My" x509FindType="FindByThumbprint"/>
         </serviceCertificate>