Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Certificates’ Category

(2021-10-24) Azure AD Warning About Expiring Certificate In (SAML) Enterprise App

Posted by Jorge on 2021-10-24


When using an Enterprise Application in Azure AD with SAML SSO you need to have SAML Signing Certificate. If that certificate is going to expire, Azure AD will notify you about it and guide you on how to update it to prevent SSO outage.

The e-mail you may receive will be similar to the following

Figure 1: E-mail From Azure AD Warning You About An Upcoming SAML Signing Certificate Expiration

Clicking on the link for the Azure Portal in numbered item 1, will redirect you to the application question. When I did that, I saw the following for the mentioned application

Figure 2: SSO Configuration For The Mentioned Application

If you look at it, you see the SSO is disabled. So you might ask yourself why in the heck is Azure AD mailing about an upcoming SAML Signing certificate expiration, is SSO is not even configured? This surprised me a bit.

In this case, and I can’t even remember this, in the past I apparently configured SSO, or played with it, then disabled it while not cleaning up the SAML Signing Certificate. While being disabled, click on the SAML option, and then you will see there is indeed a SAML Signing Certificate, although not in use at all.

Figure 3: SAML Signing Certificate Configured While Not Being In Use At All

Click on EDIT in the “SAML Signing Certificate” Section and you will see something similar as:

Figure 4: SAML Signing Certificates That Are Configured

In THIS CASE (SAML Signing Certificate configured, but not in use at all), I clicked on the three dots on the right for the inactive SAML Signing certificate and selected “Delete Certificate” and confirmed with “YES”. Now if you try to delete the last active SAML Signing certificate, Azure AD will not let you do it. Because the SSO was not configured and the app was not even in use, the best option is to delete the complete app from Azure AD.

Lessons learned:

  • Cleanup you stuff! 🙂
  • If you do use a SAML SSO configured app, make sure to:
    • have specified one or more e-mail addresses to receive notifications like these
    • not ignore these e-mails to make sure SSO is not impacted and does not break
    • renew these SAML Signing certificates in time
    • when configuring Azure AD with a new SAML Signing certificate, to also update the Azure AD SAML configuration in the application itself

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### IAMTEC | Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

————————————————————————————————————————————————————

IAMTEC

Identity | Security | Recovery

————————————————————————————————————————————————————-

Posted in Certificates, Windows Azure Active Directory | Leave a Comment »

(2016-09-30) Azure AD Warns You About An Upcoming Token Signing Certificate Expiration To Federate With An Application

Posted by Jorge on 2016-09-30


You are using Azure AD for federate with other SaaS solutions (e.g. SalesForce) so that you can achieve SSO when either logging on with your Azure AD credentials or if you are using an on-premises federation solution like ADFS your on-premises AD credentials (assuming you are using AD). As you may know every federation trust is based upon certificates and certificates do expire.

[1] As the Identity Provider (IdP) you will always have a Token Signing certificate to sign security tokens/SAML responses issued by the IdP for the Service Provider (SP).

[2] As the Service Provider (SP) you may have Token Signing certificate to sign SAML request issued for the SP for the Identity Provider (IdP) and/or a Token Encryption certificate to decrypt the assertions in the security tokens/SAML responses that were issued and encrypted by the Identity Provider (IdP).

With that in mind you will have replace those certificates before they expire. And in this case we focus on [1].

Azure AD to the rescue! And that’s where Azure AD comes in to warn about a certificate it knows about that will expire within some number of days.

When that happens, and this case it is about federating between Azure AD and SalesForce, you will receive an e-mail similar to the one below.

Action required: Your usage of Salesforce using Azure Active Directory may incur downtime if action is not taken to update the certificate used for single sign-on.

image

Figure 1: Mail From The Azure AD Team Warning About An Upcoming Certificate Expiration

As the e-mail mentions perform the following steps:

  • [1] Sign into the Azure classic portal using an global administrator account that also has service administrator or co-administrator permissions.
  • [2] Under the Active Directory tab, select the following directory name:  <Directory Name>
  • [3] Select the Applications tab, then select <Application name>.
  • [4] On the Quick Start tab (represented by the blue cloud icon), select the Configure single sign-on button.
  • [5] Select Microsoft Azure AD Single Sign-On and select Next.
  • [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

image

Figure 2: Choosing The SSO Option For The Application

As the e-mail mentions perform the following steps:

  • [6] In the Configure App Settings screen, select Configure the certificate used for federated single sign-on and select Next.

Arriving at the “Configure App Settings” screen you should already have a “Sign On URL” and a “Identifier” specified

image

Figure 3: Configuring App Settings

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Domain Management” and then click on “Domains”. On that page you will find the “Sign On URL” that needs to be specified in Azure AD (Figure 3).

image

Figure 4: Determining The SalesForce “Sign On URL”

In this case for SalesForce, go to SalesForce and on the screen on the left where it says “Administer” click on “Security Controls” and then click on “Single Sign-On Settings”. On that page you will find the “Identifier” that is configured in SalesForce for the IdP representing Azure AD and that needs to be specified in Azure AD (Figure 3).

image

Figure 5: Determining The SalesForce “Identifier”

As the e-mail mentions perform the following steps:

  • [7] In the Configure Federated SSO Certificate screen, select Generate a new certificate, choose an appropriate validity duration for the certificate and select Next.

image

Figure 6: Configuring An SSO Certificate

The mail does not mention the following steps, but you should execute the following steps:

  • [8] Click on Download Certificate and save the certificate file somewhere on your cmoputer

image

Figure 7: Configuring SSO For The Application In Azure AD

The mail does not mention the following steps, but you should execute the following steps (In this case for SalesForce):

  • [9] Go to SalesForce
  • [10] On the screen on the left where it says “Administer” click on Security Controls and then click on Single Sign-On Settings. On that page click on the IdP representing Azure AD.

image

Figure 8: Selecting And Editing The IdP In SalesForce That Represents Azure AD

  • [11] Click on Edit
  • [12] The “Issuer URL” (Figure 7) should be specified in (1)
  • [13] The “downloaded Certificate” (Figure 7) should be specified in (2). Click Browse and upload the certificate that you previously downloaded from Azure AD
  • [14] The “Remote Login URL” (Figure 7) should be specified in (3)
  • [15] The “Single Sign-Out Service URL” (Figure 7) should be specified in (4)
  • [16] Click on Save

image

Figure 9: Configuring The IdP In SalesForce That Represents Azure AD

  • [17] Now go back to the Azure AD portal (Figure 7)
  • [18] Check Confirm that you have configured single sign-on as described….
  • [19] Click Next
  • [20] Specify your mail address, if not already specified to receive a confirmation that SSO was configured
  • [21] Click Next

image

Figure 10: SSO Configuration Confirmation

Your access to the application through SSO should still work and you should be good to go for the amount of time the new certificate is valid.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Certificates, SaaS Apps, SSO, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: