locked
Can some relying parties use a different token signing cert? RRS feed

  • Question

  • My understanding is that all parties in the relying party section will use the same token signing certificate that is shown in the certs section.

    Is there a way in ADFS 2.0 for one relying party to use a different token signing cert? I notice there is a signature tab in the RP properties? Is this where you can specify a different token signing cert?

     

    Thanks

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Wednesday, July 6, 2011 9:51 AM

Answers

  • Within ADFS you can define multiple ADFS Token Signing Certs. However, ADFS will always only use the primary cert for Token Signing. This is a central ADFS config and not a per RP config

     

    regards,

    jorge


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    • Marked as answer by Piley Thursday, July 21, 2011 10:09 AM
    Thursday, July 21, 2011 9:16 AM

All replies

  • i'm not sure that's what the properties are for.  Signing something requires the private key, and the properties only allow for public keys.  As far as I know you can't use different keys for different relying parties.

    Is there a particular case that you need this?


    Developer Security MVP | www.steveonsecurity.com
    Wednesday, July 6, 2011 6:02 PM
  • Hi Steve

    Thanks for the reply. We're trying to establish SSO to an Azure application that we own/manage.

    We are currently using an internally generated SSL certificate from our RA for token signing. For reasons I can't explain this certificate will not import into ACS within Azure. The current solution is to use our external wild card certificate instead but that will mean sending that certificate to our other RP's to use.

    I was hoping we could just use the wild card for the Azure application and our other RA generated one for the rest.

    Doesn't look like its possible.

    Piley


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Thursday, July 7, 2011 8:23 AM
  • Bumping as I need confirmation.

    Does anyone know if its possible to use a different token signing cert for a RP instead of the one list in the certificates section in ADFS?

    Or will all RP's use the same cert that is specified in certificates?

     


    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Monday, July 18, 2011 8:34 AM
  • Within ADFS you can define multiple ADFS Token Signing Certs. However, ADFS will always only use the primary cert for Token Signing. This is a central ADFS config and not a per RP config

     

    regards,

    jorge


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)
    • Marked as answer by Piley Thursday, July 21, 2011 10:09 AM
    Thursday, July 21, 2011 9:16 AM
  • Within ADFS you can define multiple ADFS Token Signing Certs. However, ADFS will always only use the primary cert for Token Signing. This is a central ADFS config and not a per RP config

     

    regards,

    jorge


    Jorge de Almeida Pinto [MVP-DS] (http://blogs.dirteam.com/blogs/jorge/default.aspx)

    Thanks Jorge.
    IT Engineer currently working on implementing ADFS 2.0 in a corporate environment.
    Thursday, July 21, 2011 10:09 AM