Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2021-10-24) Azure AD Warning About Expiring Certificate In (SAML) Enterprise App

Posted by Jorge on 2021-10-24


When using an Enterprise Application in Azure AD with SAML SSO you need to have SAML Signing Certificate. If that certificate is going to expire, Azure AD will notify you about it and guide you on how to update it to prevent SSO outage.

The e-mail you may receive will be similar to the following

Figure 1: E-mail From Azure AD Warning You About An Upcoming SAML Signing Certificate Expiration

Clicking on the link for the Azure Portal in numbered item 1, will redirect you to the application question. When I did that, I saw the following for the mentioned application

Figure 2: SSO Configuration For The Mentioned Application

If you look at it, you see the SSO is disabled. So you might ask yourself why in the heck is Azure AD mailing about an upcoming SAML Signing certificate expiration, is SSO is not even configured? This surprised me a bit.

In this case, and I can’t even remember this, in the past I apparently configured SSO, or played with it, then disabled it while not cleaning up the SAML Signing Certificate. While being disabled, click on the SAML option, and then you will see there is indeed a SAML Signing Certificate, although not in use at all.

Figure 3: SAML Signing Certificate Configured While Not Being In Use At All

Click on EDIT in the “SAML Signing Certificate” Section and you will see something similar as:

Figure 4: SAML Signing Certificates That Are Configured

In THIS CASE (SAML Signing Certificate configured, but not in use at all), I clicked on the three dots on the right for the inactive SAML Signing certificate and selected “Delete Certificate” and confirmed with “YES”. Now if you try to delete the last active SAML Signing certificate, Azure AD will not let you do it. Because the SSO was not configured and the app was not even in use, the best option is to delete the complete app from Azure AD.

Lessons learned:

  • Cleanup you stuff! 🙂
  • If you do use a SAML SSO configured app, make sure to:
    • have specified one or more e-mail addresses to receive notifications like these
    • not ignore these e-mails to make sure SSO is not impacted and does not break
    • renew these SAML Signing certificates in time
    • when configuring Azure AD with a new SAML Signing certificate, to also update the Azure AD SAML configuration in the application itself

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: