AD FS 2.0 – Sharing Signing Certificates across RP Trusts

AD FS 2.0 Rollup 3 provides support for the sharing of signing certificates between multiple relying parties. Prior to RU3, each relying party trust, should they elect to use one, required a unique signing certificate and attempts to share signing certificates between RPs would generate the following error:

MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS 2.0 configuration

So, following the release of RU3, I was fully expectant to see this fix working.   Following various tests and assistance from PSS, it turns out this is an optional “tweak”, rather than one that is activated automatically through deployment of the rollup, i.e. a script needs to be run to activate this capability.  Following the installation of RU3, in the C:\Program Files\Active Directory Federation Services 2.0\SQL folder is a PostReleaseSchemaChanges.ps1 PowerShell script. This needs to be run on the primary AD FS server from an elevated Powershell prompt.  Once this is done, you should find that you can now configure RP trusts with the same signing certificate.

To test this I used two SimpleSAMLphp (SSP) service providers (App1 and App2)  with online metadata endpoints.

https://app1.mydomain.com/module.php/saml/sp/metadata.php/default-sp

https://app2.mydomain.com/module.php/saml/sp/metadata.php/default-sp

Both Relying Parties (RP) are using the same X509 certificate key pair as defined in the authsources.php file.  Creation of the two relying parties was then possible and exchange of metadata possible without AD FS throwing an error.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s