Symptoms
Azure AD certificate rollover cause error: WIF10201: No Valid key mapping for SecurityToken: 'System.IdentityModel.Tokens.X509SecurityToken' and issuer: 'https://sts.windows.net/{guid}/'.
Diagnoses
This is currently expected behavior whenever the Azure AD certificate is rolled over as the certificate thumbprint stored in the K2 database [Identity].[ClaimIssuer] table is no longer in sync with the Azure AD certificate thumbprint. Usually in a hybrid environment, K2 onpremise connected to Sharepoint online.
Resolution
This new thumbprint can be retrieved by using the federation metadata XML for your STS by appending the following to the URL that you see in the error:
https://sts.windows.net/{yourGUID}/federationmetadata/2007-06/federationmetadata.xml
The thumbprints can be retrieved from the federation metadata by using the method below: https://support.pingidentity.com/PingFederate/Certificates/How-to-retrieve-certificate-from-metadata
As there were two X509Certificate/Thumbprint returned by the federation metadata, the Azure AD Issuer entry was duplicated in the [Identity].[ClaimIssuer] table such that both thumbprints can be inserted/updated. The necessary mappings in the [Identity].[ClaimRealmIssuer] table.
When copying the thumbprint from the certificates to remove spaces, perhaps use an advanced notepad application/word application that would allow for the showing of hidden/special characters such as white spaces, tabs, end of line characters such that it can be excluded from the Thumbprint when updating/adding to the database. Leading/trailing spaces and/or special characters can cause the thumbprint to be invalid resulting in the same error 'No Valid key mapping for SecurityToken' error. Perhaps manually typing it in will be a good way to validate not copying unnecessary characters.
A K2 Blackpearl service restart is needed afterward to affect this change. Please note that these steps to manually update the Azure AD thumbprint will be needed the next time Azure AD certificate is rolled over. A feature request was also logged to automate this procedure in a future update.
