Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2016-09-30) Azure AD Warns You About An Upcoming Token Signing Certificate Expiration To Federate With An Application

Posted by Jorge on 2016-09-30


You are using Azure AD for federate with other SaaS solutions (e.g. SalesForce) so that you can achieve SSO when either logging on with your Azure AD credentials or if you are using an on-premises federation solution like ADFS your on-premises AD credentials (assuming you are using AD). As you may know every federation trust is based upon certificates and certificates do expire.

[1] As the Identity Provider (IdP) you will always have a Token Signing certificate to sign security tokens/SAML responses issued by the IdP for the Service Provider (SP).

[2] As the Service Provider (SP) you may have Token Signing certificate to sign SAML request issued for the SP for the Identity Provider (IdP) and/or a Token Encryption certificate to decrypt the assertions in the security tokens/SAML responses that were issued and encrypted by the Identity Provider (IdP).

With that in mind you will have replace those certificates before they expire. And in this case we focus on [1].

Azure AD to the rescue! And that’s where Azure AD comes in to warn about a certificate it knows about that will expire within some number of days.

When that happens, and this case it is about federating between Azure AD and SalesForce, you will receive an e-mail similar to the one below.

Action required: Your usage of Salesforce using Azure Active Directory may incur downtime if action is not taken to update the certificate used for single sign-on.

image

Figure 1: Mail From The Azure AD Team Warning About An Upcoming Certificate Expiration

As the e-mail mentions perform the following steps:

  • [1] Sign into the Azure classic portal using an global administrator account that also has service administrator or co-administrator permissions.
  • [2] Under the Active Directory tab, select the following directory name:  <Directory Name>
  • [3] Select the Applications tab, then select <Application name>.
  • [4] On the Quick Start tab (represented by the blue cloud icon), select the Configure single sign-on button.
  • [5] Select Microsoft Azure AD Single Sign-On and select Next.
  • [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

image

Figure 2: Choosing The SSO Option For The Application

As the e-mail mentions perform the following steps:

  • [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

Arriving at the “Configure App Settings” screen you should already have a “Sign On URL” and a “Identifier” specified

image

Figure 3: Configuring App Settings

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Domain Management” and then click on “Domains”. On that page you will find the “Sign On URL” that needs to be specified in Azure AD (Figure 3).

image

Figure 4: Determining The SalesForce “Sign On URL”

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Security Controls” and then click on “Single Sign-On Settings”. On that page you will find the “Identifier” that is configured in SalesForce for the IdP representing Azure AD and that needs to be specified in Azure AD (Figure 3).

image

Figure 5: Determining The SalesForce “Identifier”

As the e-mail mentions perform the following steps:

  • [7] In the Configure Federated SSO Certificate screen, select Generate a new certificate, choose an appropriate validity duration for the certificate and select Next.

image

Figure 6: Configuring An SSO Certificate

The mail does not mention the following steps, but you should execute the following steps:

  • [8] Click on Download Certificate and save the certificate file somewhere on your cmoputer

image

Figure 7: Configuring SSO For The Application In Azure AD

The mail does not mention the following steps, but you should execute the following steps (In this case for SalesForce):

  • [9] Go to SalesForce
  • [10] On the screen on the left where it says “Administer” click on Security Controls and then click on Single Sign-On Settings. On that page click on the IdP representing Azure AD.

image

Figure 8: Selecting And Editing The IdP In SalesForce That Represents Azure AD

  • [11] Click on Edit
  • [12] The “Issuer URL” (Figure 7) should be specified in (1)
  • [13] The “downloaded Certificate” (Figure 7) should be specified in (2). Click Browse and upload the certificate that you previously downloaded from Azure AD
  • [14] The “Remote Login URL” (Figure 7) should be specified in (3)
  • [15] The “Single Sign-Out Service URL” (Figure 7) should be specified in (4)
  • [16] Click on Save

image

Figure 9: Configuring The IdP In SalesForce That Represents Azure AD

  • [17] Now go back to the Azure AD portal (Figure 7)
  • [18] Check Confirm that you have configured single sign-on as described….
  • [19] Click Next
  • [20] Specify your mail address, if not already specified to receive a confirmation that SSO was configured
  • [21] Click Next

image

Figure 10: SSO Configuration Confirmation

Your access to the application through SSO should still work and you should be good to go for the amount of time the new certificate is valid.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: