Problem: AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys

Knowledge Base Community
, , ,
#1

Problem:

After logging in to Office 365, you receive the following error message after forwarding to https://login.microsoftonline.com/login.srf
AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys

Investigation:

Check if:

  1. the ucs-sso certificates has not changed
saml/idp/certificate/certificate
saml/idp/certificate/privatekey
  1. the ucr variable saml/idp/entityID has not changed

A good way is to consult the/var/log/univention/config-regestry-replog file

Solution:

You should reset the ucr variable for the entityID

ucr get saml/idp/entityID 
https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php

ucr set saml/idp/entityID=https://ucs-sso.schein.ig/simplesamlphp/saml2/idp/metadata.php
Setting saml/idp/entityID
Multifile: /etc/simplesamlphp/metadata/saml20-idp-hosted.php
Howto: Re-Initialize O365 After Certificate Change
Problem with SSO Certificate
Mastodon