Been bashing my head against this (WIF: ID1014: The signature is not valid. The data may have been tampered with) problem now for about a week. WIF tracing has been useless in trying to solve this. For my own sanity sake, here are the possible causes that I have found so far that could cause it.
- Token signed with incorrect certificate – incorrect certificate specified in the configuration for FederationConfigurations\serviceCertificate\certificateReference
- Multiple FederationConfigurations and wrong one is used when creating the token.
- Old Token signed with DAPI but system expects new decryption with RSA.
http://stackoverflow.com/questions/10780729/wif-id1014-the-signature-is-not-valid-the-data-may-have-been-tampered-with - Using a machine key in a load balance environment. Machine Key can’t scale!
http://stackoverflow.com/questions/24765097/wif-id1014-the-signature-is-not-valid-the-data-may-have-been-tampered-with - The HttpContext.Current.User is null when the token is created.
- Certificate not loaded from a store. (Unconfirmed)
https://social.msdn.microsoft.com/Forums/vstudio/en-US/bd74fdf0-1388-4c6f-a2ed-58b5172a3988/signature-not-valid-when-using-nonstore-certificate?forum=Geneva
For me the problem surface in a unique configuration where our STS gets configured as a RP-STS & STS. When an desktop system needs to access a resource in our website it sends the STS a token generated from our A-STS and this then signs him into federation. It is this with this specific situation that my problem surfaced.
WTF!, I Found a solution for my problem but I do not know what was causing it to have this issue but in the end I ended up programmatically rebuilding the FederationConfiguration and assigning it to the FederatedAuthentication.SessionAuthenticationModule.FederationConfiguration property each time just before the sign-in. I could not see any difference between the FederationConfiguration from the config file and the one I was building programmatically but it solved my problem.
I hate leaving this issue without understanding what caused it but I have spent too much time on this issue already.