none
federationmetadata.xml SSO invalid certificates

    Question

  • Hi,

    The question is about single-sign-on with saml 2 and Azure AD Application https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata and https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-custom-apps I got this working but I have a question regarding the x509 certificates.

    Right now I'm using the certificate in <Signature> https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml. This is working fine for the most time but sometimes, I guess when the certificate is changed, the certificate is invalid for a while. As I understands it the certificate should be fetched from the <IDPSSODescriptor> but it always returns more than one certificate and it's always just one that's valid. That's why I'm using the one in <Signature> but it isn't always working either.

    Why does https://login.microsoftonline.com/common/federationmetadata/2007-06/federationmetadata.xml return invalid certificates?

    Can I somehow know if a certificate is valid without trying to login?

    When you decode the certificates all seems to be fine, it's valid and has not expired but it isn't working anyway. The single sign on service url looks like this https://login.microsoftonline.com/<id>/saml2

    Can I somehow use one "private" certificate that always is valid by doing something in the Azure AD?

    Thanks in advance!

    Friday, April 28, 2017 9:01 AM

All replies

  • Did you check this https://docs.microsoft.com/en-us/azure/active-directory/active-directory-sso-certs
    Thursday, July 13, 2017 6:02 AM