SAML authentication fails with PingFed IdP with error “There was a failure with the mapped account”

Users get the error: “There was a failure with the mapped account” when attempt to login to StoreFront URL after configuring SAML authentication on the StoreFront server with PingFed IdP

When checked the Citrix Delivery Services event logs from SF, we see below error:

The security token failed validation.

System.IdentityModel.SignatureVerificationFailedException, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

ID4037: The key needed to verify the signature could not be resolved from the following security key identifier ‘SecurityKeyIdentifier

(

IsReadOnly = False,

Count = 1,

Clause[0] = System.IdentityModel.Tokens.Saml2SecurityKeyIdentifierClause

)

‘. Ensure that the SecurityTokenResolver is populated with the required key.

at System.IdentityModel.EnvelopedSignatureReader.ResolveSigningCredentials()

at System.IdentityModel.EnvelopedSignatureReader.OnEndOfRootElement()

at System.IdentityModel.EnvelopedSignatureReader.Read()

at System.Xml.XmlReader.ReadEndElement()

at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadAssertion(XmlReader reader)

at System.IdentityModel.Tokens.Saml2SecurityTokenHandler.ReadToken(XmlReader reader)

at System.IdentityModel.Tokens.SecurityTokenHandlerCollection.ReadToken(XmlReader reader)

at Citrix.DeliveryServices.Authentication.Saml20.SamlExtensions.GetSecurityToken(String assertion, SecurityTokenHandlerCollection securityTokenHandlers)

at Citrix.DeliveryServices.Authentication.Saml20.SamlManager.ProcessSamlResponse(String base64EncodedResponse, Boolean compressed)