Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
There are multiple certificates that are used in ADFS. Token signing certificate is the one which is used by ADFS to sign the SAML response token that is sent to SP post authentication.
The certificate which is used under Signature tab in relying party properties is the one which is used by SP to sign the SAML request token.
Below is the flow which is used while authentication.
User tries to access the application (SP). Application sends the SAML request to ADFS/Azure AD (IDP). ADFS/Azure AD authenticates the user and sends the SAML response back to application.
SAML response is signed by a token signing certificate used in ADFS/Azure AD. This certificate will be present in IDP metadata. While configuration when this metadata is uploaded in applications
And SAML request is signed by application. When the request reaches IDP, it has to validate the signature and then it accepts the SAML request. This certificate is uploaded on IDP side. This is the certificate used under Signature tab in relying party properties.
If you are looking for this certificate in Azure AD then it is under SAML certificates,
Let me know if you have any further questions on this. Please "Accept the answer" if the information helped you. This will help us and others in the community as well.