Let me describe the scenario. I installed MIM Portal, during the install I specified a cert that I received from the company cert system. I did not select that MIM should generate a cert. After that I install SSPR on another server. When I connect from the SSPR server I get the registration form but when I click next I get the 3008 error and on the event logs of the MIM Server I see
There was an error serializing the security token.
Please see the inner exception for more details.
—> System.InvalidOperationException: The SamlAssertion could not be serialized to XML. Please see inner exception for details.
—> System.Security.Cryptography.CryptographicException: Keyset does not exist
There is a Technet post on this error. Add the MIMService account to the cert and give it read access. It did not work. Which brings me to another point I want to stress
When you request for a cert to be used on your MIM Server for ssl or anything make sure you get a cert with the option that allows export of the private keys.
Back to the issue at hand, after trying many things here was the solution
When you install MIM with the option that it should generate its own cert, it will generate a cert known as ForeFrontIdentyManager
This cert must be present for MIM Service to work properly and also for SSPR to work well. During the install MIM will also give the MIMService account read rights to the cert. I had to run MIM setup again in change mode and select that MIM should generate its own cert. It generated the ForeFrontIdentityManager cert but did not give the MIMService account the read rights, so I had to do that manually. See the Technet post
My advice? When you install MIM, specify that MIM should generate a cert. After the install you can run MIM in change mode and specify any other cert you want to use.