Share via

Custom changes to the Azure AD certificate

Strychocki, Pawel 1 Reputation point
2021-09-23T16:48:35.877+00:00

Hi All,

We're using the Azure AD as IdP SSO for our Oracle Service Cloud (OSvC). OSvC consists of two sites - Agent Console (AC) and the Customer Portal (CP).
In Oracle's understanding, the Agent Console and the Customer Portal are two parts of the Oracle Service Cloud. And both of them require different user authentication.
In Azure understanding, AC and CP are two different applications. This means we have to create two different applications in Azure.
To connect Azure with AC/CP we need to export metadata file from OSvC and upload it into the Azure Application. This metadata file is similar for both Agent Console and Customer Portal.
As a result, we have two certificates with different thumbprints and identical “Issued To” and “Issued By” values.
Whenever we request SSO entry, OSvC grabs the first certificate it finds uploaded that has the Issuer and Subject as in the SSO request and then checks the Thumbprints. If we have two different certificates uploaded that have similar Subject and Issuer and different thumbprints, SSO will break on one of the authentication attempts.
So the identical “Issued To” and “Issued By” values, on both certificates, mislead the SSO.

At this point I can see only two ways:

  1. Use 2 applications in Azure, and then change the “Issued To” and “Issued By” values on one of the certificates;
  2. Use 2 applications in Azure, and then change the thumbprints to be the same on both certs.
    Is any of these two options possible?
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
7,913 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,116 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Siva-kumar-selvaraj 15,651 Reputation points
    2021-09-24T11:07:03.613+00:00

    Hello @Strychocki, Pawel ,

    Thanks for reaching out.

    Azure AD auto-generate SAML Signing Certificate when you setup SSO and these certificate are self-signed therefore you can neither modify (“Issued To” and “Issued By”) values or re-use certificate, lets say reuse App-1 auto-generated certificate to App-2.

    The feasible way would be creating your own Self-Sign certificate (with Signing algorithm SHA-256/SHA-1) and upload newly created cert along with private key to App1 and App2 and then activate them in portal so that you would have same certificate for both application (or) create two different new self-sign certificate and then upload them to App1 and App2.

    To learn more about Manage certificates for federated single sign-on in Azure Active Directory: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on

    Create and export your public certificate with its private key: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-self-signed-certificate#option-2-create-and-export-your-public-certificate-with-its-private-key

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    1 person found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.