Multiple Signature certificates in ADFS Relying Party

igtsvi 1 Reputation point
2020-06-15T23:41:11.233+00:00

My application (SP) is in process of rolling over the signing certificates and including both the old and the new certificates in the SP Metadata. ADFS is set up to auto-update the relying party metadata. ADFS has now auto-updated pulling in both certificates in. Now the SP-initiated SAML is failing as it seems that ADFS is only using the most recent cert, which is not the cert with which the SAML Request is signed. We were under the impression that multiple signature certs can be loaded into a relying party trust and ADFS would try both, however, we're observing that it is only trying the first cert. Is there a configuration on ADFS that we're missing?

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,222 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Pierre Audonnet - MSFT 10,171 Reputation points Microsoft Employee
    2021-11-16T13:31:03.667+00:00

    What do you mean by "Now the SP-initiated SAML is failing as it seems that ADFS is only using the most recent cert"? ADFS is not signing things with the certificates presents on the RP config. It is only verify signature with those (ADFS doesn't even have the assocaited private key). So can you please described where you get the error and what errror it is?

    0 comments No comments