Upload metadata file does not upload certificate in SAML Certificates >Verification certificates (optional)

Venkatesh Naik 20 Reputation points
2024-09-26T11:13:17.1233333+00:00

I have added the node with the certificate string value in an XML file, alongside the entityID, SingleLogoutService, and AssertionConsumerService nodes. However, while the entityID, logout URL, and response URL are being uploaded, the certificate is not. Does Microsoft Azure support uploading certificates through the metadata file?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,796 questions
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 6,510 Reputation points Microsoft Vendor
    2024-09-26T13:06:55.21+00:00

    Hello @Venkatesh Naik,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that when you upload the metadata XML file in Entra under Enterprise Applications, the Basic SAML Configuration URLs are being updated, but the SAML certificate in Azure is not. This is expected behavior because, when you add a new application from the gallery and configure SAML-based sign-on (by selecting Single sign-on > SAML from the application overview page), Microsoft Entra ID automatically generates a self-signed certificate for the application, valid for three years. If you prefer to use your own certificate instead of the one generated by Azure, you will need to manually upload the certificate under the SAML certificates section by clicking the Edit icon (the pencil).

    When you upload the application metadata XML file to Azure, only the Identifier (Entity ID), Reply URL (Assertion Consumer Service URL), Sign-on URL, Relay State, and Logout URL are uploaded if these values are present in the XML. As mentioned earlier, when creating an application from either the gallery or non-gallery, Microsoft Entra ID will automatically generate a self-signed certificate for the application that is valid for three years. The certificate which is present in Entra need to be uploaded in service provider (application) end.

    Please refer to the screenshot below to upload your own certificate for your SAML application.

    User's image

    Manage certificates for federated single sign-on

    Advanced certificate signing options in a SAML token

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.