Active Directory Federation Service - Office365

Ines 21 Reputation points


  1. For O365 relying party trust: the Encryption Certificate is blank? is it normal? can we setup certificat? if yes How?
  2. For Token Decrypting and Token signing Certificates are by default self-signed. (not issued by a CA). May be issued by a CA? if yes, is it recommended


Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,205 questions
{count} votes

Accepted answer
  1. Pierre Audonnet - MSFT 10,166 Reputation points Microsoft Employee

    First of all, you do not need ADFS to have Single Sign On between your on-premises clients, you can use Azure AD Connect Seamless SSO. Have a look if you are interested:

    Then, the token issued by ADFS is not encrypted. So there is no encryption certificate to use on the trust. That's expected. Note that the token is signed and it is transported over TLS.

    By default, token signing and token decrypting certificates are self-signed. Those certificates automatically roll-over and unless you have a interal policy that prevents you from using self-signed certificates, you can just keep those as-is. Certification revocation is not performed on those certificates.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful