Renewal of ADFS signing certificate affects third party services like Oracle cloud and Service-Now

Recently we experienced an outage with third party services like Oracle cloud and Service-Now which were integrated with ADFS.


ADFS creates a new signing certificate and makes it primary 20 days and 15 days respectively before the expiry of the current certificate. After this, the 3rd party services are unable to communicate with ADFS for SSO purposes.

The new federated xml will have information of both the primary and secondary certificates during this period. We will need to edit this XML before uploading to the 3rd party services using respective global administrator accounts.

Look for the following piece of code as show below:

<KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>****</X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>

You will find two instances of this code under the tags:

 a.
<RoleDescriptor xsi:type="fed:SecurityTokenServiceType">          

 b.
<SPSSODescriptor WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:*.0:protocol">

 c.
<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:*.0:protocol"> 

 

Remove the first instance of this code in the three places.

Upload the edited federated xml file to the 3rd party services and all should be working normally.

Note: This has to be done 15 days before the expiry of the certificate.

Comments

Popular posts from this blog

On-board Linux computers to Azure Log Analytics

Nutanix Calm Blueprint for Single Linux VM

Fluentd error: Unable to push logs to [elasticsearch]