Multiple Signature certificates in ADFS Relying Party

Question

Multiple Signature certificates in ADFS Relying Party

igtsvi 1

My application (SP) is in process of rolling over the signing certificates and including both the old and the new certificates in the SP Metadata. ADFS is set up to auto-update the relying party metadata. ADFS has now auto-updated pulling in both certificates in. Now the SP-initiated SAML is failing as it seems that ADFS is only using the most recent cert, which is not the cert with which the SAML Request is signed. We were under the impression that multiple signature certs can be loaded into a relying party trust and ADFS would try both, however, we're observing that it is only trying the first cert. Is there a configuration on ADFS that we're missing?

Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2020-06-27T16:36:09.283+00:00

"We were under the impression that multiple signature certs can be loaded into a relying party trust and ADFS would try both"

So would I :) Do you have error messages or logs to share?
S.R 26 Reputation points

2021-07-13T18:36:36.123+00:00

Hi Pierre,

Saeed here, I've got exact same issue today with one of our RPs. As far I can recall we have always added the new cert and had multiple certificates under the "Signature" tab per RP.
Both existing cert that nears its expiry date and new cert will live until SP decides to use the new cert to sign its request after which sign in will continue without interruption.

The error reported in ADFS admin log is:
Except_ID6013_ The signature verification failed

With the error above user login fails and removing the new cert will restore access. Has something changed OR we might have set a setting per this RP that forces ADFS to use to most recent certificate?
Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2021-07-20T13:05:04.66+00:00

Would you mind sharing a Fiddler trace of the attempt along with the export of the relying party trust settings?
JD 1 Reputation point

2021-11-16T09:08:02.51+00:00

did you ever get to the bottom of this?
I need to add a new expiry date and don't want to break anything by adding the new one early.
thanks

1 answer

Your answer

Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2020-06-27T16:36:09.283+00:00

"We were under the impression that multiple signature certs can be loaded into a relying party trust and ADFS would try both"

So would I :) Do you have error messages or logs to share?
S.R 26 Reputation points

2021-07-13T18:36:36.123+00:00

Hi Pierre,

Saeed here, I've got exact same issue today with one of our RPs. As far I can recall we have always added the new cert and had multiple certificates under the "Signature" tab per RP.
Both existing cert that nears its expiry date and new cert will live until SP decides to use the new cert to sign its request after which sign in will continue without interruption.

The error reported in ADFS admin log is:
Except_ID6013_ The signature verification failed

With the error above user login fails and removing the new cert will restore access. Has something changed OR we might have set a setting per this RP that forces ADFS to use to most recent certificate?
Pierre Audonnet - MSFT 10,201 Reputation points Microsoft Employee Moderator

2021-07-20T13:05:04.66+00:00

Would you mind sharing a Fiddler trace of the attempt along with the export of the relying party trust settings?
JD 1 Reputation point

2021-11-16T09:08:02.51+00:00

did you ever get to the bottom of this?
I need to add a new expiry date and don't want to break anything by adding the new one early.
thanks

Answer 1

Pierre Audonnet - MSFT 10,201 Microsoft Employee Moderator

What do you mean by "Now the SP-initiated SAML is failing as it seems that ADFS is only using the most recent cert"? ADFS is not signing things with the certificates presents on the RP config. It is only verify signature with those (ADFS doesn't even have the assocaited private key). So can you please described where you get the error and what errror it is?

Share via

Multiple Signature certificates in ADFS Relying Party

1 answer

Your answer