Trying to active a new cert for sso but the new cert has the same Federation Metadata XML, so application won't let me update to new cert because it looks the same as the old one.

Logan Harvey 0 Reputation points
2024-11-26T22:13:38.0366667+00:00

Uploading new SSO cert, old cert is metadata url https://login.microsoftonline.com/12345

new cert should be different I assume, is also https://login.microsoftonline.com/12345. After looking at the XML they both look identical too.

I'm afraid to delete the current cert as it's still active for 5 more weeks, and would need to turn off SSO for the app if it doesn't work.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,497 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Harshitha Eligeti 970 Reputation points Microsoft Vendor
    2024-11-27T20:05:10.1833333+00:00

    Hi @Logan Harvey   

    Thank you for sharing your issue on Microsoft Q&A. 

    I understand that you are trying to activate a new certificate for SSO, but the new certificate appears to have the same Federation Metadata XML as the old one. This is causing the application to reject the new certificate because it looks identical to the old one. 

    The metadata URL alone is not enough to distinguish between certificates. To differentiate them, the thumbprint of the certificate must be unique. Even if the Federation Metadata XML URL appears identical, the thumbprint is the unique identifier for each certificate. 

    Therefore, before proceeding, you should check that the new certificate has a different thumbprint from the old one. If the thumbprints are the same, the new certificate is not considered a valid replacement. 

    Delete the old certificate once you're confident the new certificate is working without any issues. 

    For additional information refer this link:https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on

    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    Best Regards.
    Harshitha Eligeti 


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.