000039142 - Federated SSO integration fails with error "ID4014: A SecurityTokenHandler is not registered to read security token" in RSA Archer

Document created by RSA Customer Support Employee on Jul 22, 2020
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000039142
Applies ToRSA Product Set: RSA Archer
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition:
IssueAfter deploying Federated SSO with RSA Archer and successfully authenticating against the Identity Provider, the user is returned to the RSA Archer login page.

An IE11 F12 network trace shows that a redirect to error.aspx occurred and a log reference ID was generated and put into the RSA Archer w3wp logs.

The error logged in the RSA Archer w3wp logs is below:

   <E2ETraceEvent xmlns="http://schemas.microsoft.com/2004/06/E2ETraceEvent">
       <System xmlns="http://schemas.microsoft.com/2004/06/windows/eventlog/system">
           <SubType Name="Error">0</SubType>
           <TimeCreated SystemTime="2020-07-16T18:20:16.7420487Z" />
           <Source Name="Archer.Web" />
           <Correlation ActivityID="{00000000-0000-0000-0000-000000000000}" />
           <Execution ProcessName="w3wp" ProcessID="7360" ThreadID="23" />
           <Channel />
                   <TraceRecord Severity="Error" xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord">
                       <Description>ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd').</Description>
                           <ExceptionType>System.IdentityModel.Tokens.SecurityTokenException, System.IdentityModel, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089</ExceptionType>
                           <Message>ID4014: A SecurityTokenHandler is not registered to read security token ('BinarySecurityToken', 'http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd').</Message>
                           <StackTrace>   at System.IdentityModel.Services.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas, FederationConfiguration federationConfiguration)
      at ArcherTech.Web.Modules.Foundation.Utility.WSFederationSingleSingOnHelper.Process(WSSignInContext context)
      at ArcherTech.Web.Modules.Foundation.Views.DefaultPresenter.SingleSignOn()
      at Security2000.Default.Page_Load(Object sender, EventArgs e)
      at System.Web.UI.Control.OnLoad(EventArgs e)
      at ArcherTech.Web.ArcherTechPage`2.OnLoad(EventArgs e)
      at Security2000.Default.OnLoad(EventArgs e)
      at System.Web.UI.Control.LoadRecursive()
      at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)</StackTrace>
CauseThe RSA Archer Federated SSO option is designed to work with Microsoft ADFS + SAML 2.0 (and later).

When attempting to use the RSA Archer Federated SSO option with JWT token format, the failure occurs because JWT token format is not supported with RSA Archer's Federated SSO sign on configuration.
Resolution1. Reconfigure the Service Provider (or combined SP/IDP) to provide token format SAML instead of token format JWT. 
2. Download and re-import the Federation Metadata from the Service Provider or combined SP/IDP into the RSA Archer Control Panel's Federated SSO configuration.
3. In administrator command prompt on all web servers run the command:  iisreset

Important Note: For RSA Archer Federated SSO integrations with Ping Federate, it is necessary to redo the entire configuration of the Federated endpoint from the beginning since this configuration option cannot be changed after the endpoint is created.