AD FS 2.0 Rollup 3 provides support for the sharing of signing certificates between multiple relying parties. Prior to RU3, each relying party trust, should they elect to use one, required a unique signing certificate and attempts to share signing certificates between RPs would generate the following error:
MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS 2.0 configuration
So, following the release of RU3, I was fully expectant to see this fix working. Following various tests and assistance from PSS, it turns out this is an optional “tweak”, rather than one that is activated automatically through deployment of the rollup, i.e. a script needs to be run to activate this capability. Following the installation of RU3, in the C:\Program Files\Active Directory Federation Services 2.0\SQL folder is a PostReleaseSchemaChanges.ps1 PowerShell script. This needs to be run on the primary AD FS server from an elevated Powershell prompt. Once this is done, you should find that you can now configure RP trusts with the same signing certificate.
To test this I used two SimpleSAMLphp (SSP) service providers (App1 and App2) with online metadata endpoints.
Both Relying Parties (RP) are using the same X509 certificate key pair as defined in the authsources.php file. Creation of the two relying parties was then possible and exchange of metadata possible without AD FS throwing an error.