none
ADFS auto-renewed token signing certificate and Proxy

    Question

  • I have trouble finding definite answer to the fundamentals of ADFS token-signing certificate when using ADFS generated certificates and ADFS Proxy.

    When installing ADFS and Proxy, I need to export the ADFS generated self-signed token-signing certificate and make it trusted on both ADFS and Proxy.

    But when ADFS generates new certificates (once a year by default), do I need to manually export the generated certificate again and make it trusted on both ADFS and Proxy?

    Is setting token-signing certificate as trusted enough, or should I do the same also for token-decrypting certificate?

    Thanks!

    PS. This is a cross-post of http://community.office365.com/en-us/forums/178/p/65913/254393.aspx#254393, as I think this forum is the correct place for this question as it is more about ADFS itself than Office 365.
    Tuesday, September 18, 2012 12:16 PM

Answers

  • The token signing certificate is automatically activated on ADFS server. No action on ADFS proxy server.

    The manual steps are to update the configurations at the SaaS vendor side. If you have Office 365 you must run the update PowerShell command. For Google and Salesforce you have to logon to their admin portals and upload the new certificate. For other Saas vendors you need to open a helpdesk ticket with them. So getting a new cert aith auto-generation is a simple thing, the hard part is the process to update all SaaS vendor configurations with the new certificate at the same time.

    Hope that helps,

    Lutz 

    • Marked as answer by Jussi P Monday, September 24, 2012 5:47 AM
    Thursday, September 20, 2012 11:58 AM

All replies

  • Hi,

    the token signing certificate lives only on the ADFS server but never on the ADFS proxy server.

    I think you mean the communications certificate. This is a standard SSL certificate and should be a different one on ADFS server and ADFS proxy, but both have the same common name, e.g. adfs.yourdomain.com

    I recommend to disable the certificate auto-renew, especially if you have more relying parties you do not want update the token signing certificate every year. You can create a self-signed cert for that e.g. with a 5 year validity.

    Regards,

    Lutz

    Wednesday, September 19, 2012 4:40 PM
  • Thank you Lutz.

    Just to confirm, each time ADFS auto-generates token signing cert (if we decide to keep auto-generation enabled), it would require a manual step of making the certificate trusted on the ADFS server. No action would be required on the Proxy server at that time?


    • Edited by Jussi P Thursday, September 20, 2012 5:30 AM
    Thursday, September 20, 2012 5:29 AM
  • The token signing certificate is automatically activated on ADFS server. No action on ADFS proxy server.

    The manual steps are to update the configurations at the SaaS vendor side. If you have Office 365 you must run the update PowerShell command. For Google and Salesforce you have to logon to their admin portals and upload the new certificate. For other Saas vendors you need to open a helpdesk ticket with them. So getting a new cert aith auto-generation is a simple thing, the hard part is the process to update all SaaS vendor configurations with the new certificate at the same time.

    Hope that helps,

    Lutz 

    • Marked as answer by Jussi P Monday, September 24, 2012 5:47 AM
    Thursday, September 20, 2012 11:58 AM
  • I agree that many partners have not enabled automatic key/cert roll-over. But they should have done that!

    I recommend leaving automagic on. And if the partner is not as advanced as ADFS, then you need to contact them indeed.

    I also agree with Lutz, that you shouldn't have to do anything on the ADFS server or the proxy. No need to add it to Trusted People.


    Paul Lemmers

    Thursday, September 20, 2012 12:20 PM