Error The token was issued by an authority that is not trusted when using SAML ADFS 3.0 with Tomcat

Document ID : KB000117557
Last Modified Date : 16/10/2018
Show Technical Document Details
Issue:

Attempt to access SDM Tomcat URL via  https://company.com:443/CAisd/pdmweb.exe after setting up SDM Tomcat for SAML results in an error:

 

audienceUris1 <><> https://company.com:443/CAisd/pdmweb.exe 
audienceUris2 <><> https://company.com:443/CAisd/pdmweb.exe 
com.auth10.federation.FederationException: The token was issued by an authority that is not trusted 
at com.auth10.federation.SamlTokenValidator.validate(SamlTokenValidator.java:158) 
at com.auth10.federation.FederatedLoginManager.authenticate(FederatedLoginManager.java:53) 
at com.auth10.federation.WSFederationFilter.authenticateWithToken(WSFederationFilter.java:195)
Cause:

Check the certificate thumbprint in the NX_ROOT/bopcfg/www/CATALINA_BASE/shared/resources/federation.properties file

This thumbprint is obtained (from an ADFS administrator) from the certificate listed on ADFS -> Service -> Certificates -> Token-Signing cert.

If the thumbprint here is copied and pasted directly into federation.properties file, it might leave some unicode characters like this: 
 

‎‎‎e5 bc 83 19 20 a3 8a ab 21 a4 50 fd 9d 71 85 94 37 b6 22 b6
Resolution:

These unicode/special characters should not be present in the federation.properties file. In addition to this, there should not be spaces between the pairs of characters in the thumbprint above. Those spaces need to be manually removed before using the thumbprint.


So, a good thumbprint should look like: 
federation.trustedissuers.thumbprint=e5bc831920a38aab21a450fd9d71859437b622b6 



Save the file and then restart SDM Tomcat.

Additional Information:
https://docops.ca.com/ca-service-management/17-1/en/installing/post-installation-tasks/ca-service-desk-manager-post-installation-tasks/enable-saml-authentication-for-ca-sdm