(2016-09-30) Azure AD Warns You About An Upcoming Token Signing Certificate Expiration To Federate With An Application

You are using Azure AD for federate with other SaaS solutions (e.g. SalesForce) so that you can achieve SSO when either logging on with your Azure AD credentials or if you are using an on-premises federation solution like ADFS your on-premises AD credentials (assuming you are using AD). As you may know every federation trust is based upon certificates and certificates do expire.

[1] As the Identity Provider (IdP) you will always have a Token Signing certificate to sign security tokens/SAML responses issued by the IdP for the Service Provider (SP).

[2] As the Service Provider (SP) you may have Token Signing certificate to sign SAML request issued for the SP for the Identity Provider (IdP) and/or a Token Encryption certificate to decrypt the assertions in the security tokens/SAML responses that were issued and encrypted by the Identity Provider (IdP).

With that in mind you will have replace those certificates before they expire. And in this case we focus on [1].

Azure AD to the rescue! And that’s where Azure AD comes in to warn about a certificate it knows about that will expire within some number of days.

When that happens, and this case it is about federating between Azure AD and SalesForce, you will receive an e-mail similar to the one below.

–

Action required: Your usage of Salesforce using Azure Active Directory may incur downtime if action is not taken to update the certificate used for single sign-on.

–

Figure 1: Mail From The Azure AD Team Warning About An Upcoming Certificate Expiration

–

As the e-mail mentions perform the following steps:

• [1] Sign into the Azure classic portal using an global administrator account that also has service administrator or co-administrator permissions.
• [2] Under the Active Directory tab, select the following directory name:  <Directory Name>
• [3] Select the Applications tab, then select <Application name>.
• [4] On the Quick Start tab (represented by the blue cloud icon), select the Configure single sign-on button.
• [5] Select Microsoft Azure AD Single Sign-On and select Next.
• [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

Figure 2: Choosing The SSO Option For The Application

–

As the e-mail mentions perform the following steps:

• [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

–

Arriving at the “Configure App Settings” screen you should already have a “Sign On URL” and a “Identifier” specified

Figure 3: Configuring App Settings

–

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Domain Management” and then click on “Domains”. On that page you will find the “Sign On URL” that needs to be specified in Azure AD (Figure 3).

Figure 4: Determining The SalesForce “Sign On URL”

–

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Security Controls” and then click on “Single Sign-On Settings”. On that page you will find the “Identifier” that is configured in SalesForce for the IdP representing Azure AD and that needs to be specified in Azure AD (Figure 3).

Figure 5: Determining The SalesForce “Identifier”

–

As the e-mail mentions perform the following steps:

• [7] In the Configure Federated SSO Certificate screen, select Generate a new certificate, choose an appropriate validity duration for the certificate and select Next.

Figure 6: Configuring An SSO Certificate

–

The mail does not mention the following steps, but you should execute the following steps:

• [8] Click on Download Certificate and save the certificate file somewhere on your cmoputer

Figure 7: Configuring SSO For The Application In Azure AD

–

The mail does not mention the following steps, but you should execute the following steps (In this case for SalesForce):

• [9] Go to SalesForce
• [10] On the screen on the left where it says “Administer” click on Security Controls and then click on Single Sign-On Settings. On that page click on the IdP representing Azure AD.

Figure 8: Selecting And Editing The IdP In SalesForce That Represents Azure AD

–

• [11] Click on Edit
• [12] The “Issuer URL” (Figure 7) should be specified in (1)
• [13] The “downloaded Certificate” (Figure 7) should be specified in (2). Click Browse and upload the certificate that you previously downloaded from Azure AD
• [14] The “Remote Login URL” (Figure 7) should be specified in (3)
• [15] The “Single Sign-Out Service URL” (Figure 7) should be specified in (4)
• [16] Click on Save

Figure 9: Configuring The IdP In SalesForce That Represents Azure AD

–

• [17] Now go back to the Azure AD portal (Figure 7)
• [18] Check Confirm that you have configured single sign-on as described….
• [19] Click Next
• [20] Specify your mail address, if not already specified to receive a confirmation that SSO was configured
• [21] Click Next

Figure 10: SSO Configuration Confirmation

–

Your access to the application through SSO should still work and you should be good to go for the amount of time the new certificate is valid.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————