Unable to logon to K2 using AAD credentials: “WIF10201: No valid key mapping found for securityToken”

Problem: You unable to log on to K2 sites (Designer/Runtime/Management) using AAD credentials (AAD integration configured without SharePoint online as described here) and receiving the following error:

WIF10201: No valid key mapping found for securityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{YOUR_AAD_ID}/'.

Resolution steps:

1) Open your K2 AAD app Federation Metadata Document using the following URL: 

https://login.microsoftonline.com/{YOUR_DIRECTORY ID}/federationmetadata/2007-06/federationmetadata.xml

2) Inside metadata XML document you need to search for a certificate value within <X509Certificate></X509Certificate> tags and copy it. You need very first value from <Signature> section. It looks like it gets changed from time to time causing this issue.

3) Open online Calculate Fingerprint tool and paste this value into X.509 cert field of this page, make sure sha1 selected as algorithm and click on Calculate Fingerprint button:

4) Navigate to K2 Management > Authentication > Claims > Issuers. Select your AAD issuer, click Edit and paste unformatted FingerPrint value into Thumbprint field of Edit Claim Issuer dialog:

This completes required changes, no K2 service restart required after this, and you can proceed to step (5) immediately.

5) Try AAD logon again, clearing browser cache if necessary.

And the most important part (if you use K2 4.7): You may see this error with a regular intervals of around 2 months or something if you run K2 4.7 without November 2017. Be sure to apply November 2017 CU to get support for rollover of the Azure Active Directory certificate thumbprints. You can see that this has been added in November 2017 CU as per CU release notes, K2 Five support this in its RTM version.

 

Leave a Reply

Your email address will not be published. Required fields are marked *