Active Directory Federation Service - Office365

Ines 21 Reputation points
2020-04-20T17:19:12.877+00:00

Hi

  1. For O365 relying party trust: the Encryption Certificate is blank? is it normal? can we setup certificat? if yes How?
  2. For Token Decrypting and Token signing Certificates are by default self-signed. (not issued by a CA). May be issued by a CA? if yes, is it recommended

Thanks

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
958 questions
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 9,976 Reputation points Microsoft Employee
    2020-04-20T23:29:18.727+00:00

    First of all, you do not need ADFS to have Single Sign On between your on-premises clients, you can use Azure AD Connect Seamless SSO. Have a look if you are interested: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso.

    Then, the token issued by ADFS is not encrypted. So there is no encryption certificate to use on the trust. That's expected. Note that the token is signed and it is transported over TLS.

    By default, token signing and token decrypting certificates are self-signed. Those certificates automatically roll-over and unless you have a interal policy that prevents you from using self-signed certificates, you can just keep those as-is. Certification revocation is not performed on those certificates.


0 additional answers

Sort by: Most helpful