Share via

Where does the SSO signing certificate originate from for multi-tenant SAML apps ?

Howard Smith 0 Reputation points
2023-04-03T14:30:11.9566667+00:00

I have a working App Registration and Service Provider for SAML authentication, in Azure.

Note: This application is not ( yet ) federated or joined with ADFS. 

App Registrattion ( Tenant A )

        -> Service Provider ( Tenant A )  
                 Signed Certificate - on Azure SAML page  

        -> Service Provider ( Tenant B )   - auto created with Consent  
                  No place to edit Certificate ?

When I switch the App Registration from single to multi tenant, the handshake continues to work, in Tenant A ( home Tenant ). However I receive a different Signed certificate ( SAML XML ) when logging into a secondary tenant ( Tenant B ).

Since the SP ( Service Provider ) for Tenant B, uses Tenant A's app registration, there is no obvious place to change or modify, the external Tenant's certificate.

So the questions are: 

 - Where does the Signed Cert on the request come from, when accessing Tenant B ?  
 - How can I change this to use the same Certificate used to sign the Tenant A request ?

Sincere thanks !

Howard

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sandeep G-MSFT 20,911 Reputation points Microsoft Employee Moderator
    2023-04-06T03:54:46.3533333+00:00

    @Howard Smith Thank you for posting this in Microsoft Q&A. For every application that you register in Azure AD, there is a service principal that gets created under enterprise applications. For multi-tenant applications, the application is registered in only one tenant. There is a service principal that get's created in all other tenant, whoever is provisioning this application. There is no application that get's registered in other tenants. Now, the token signing certificate is different for different tenants. Usually, token signing certificate is used for signing the token which is sent by Azure AD to the application post authentication. Before accessing the token, application will validate the signature of the certificate. This certificate is different for different tenants. Yes, you can download the certificate from Application registered tenant and upload it to other tenant where service principal is created.

    Let me know if you have any further questions on this. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.