SAML based on ADFS can not work

182 views Asked by At

Background: 1. Originally SAML based on the ADFS works fine, but after the ADFS certificate update, it can't work fine. Since the certificate of the ADFS will be expired, so we update the certificate, but unfortunately can not work fine with updated certificate ADFS

The exception is "Signature is not trusted or invalid" which thrown in the spring SAML. Does there exist some especially needed to be noticed when update the ADFS certificate?

1

There are 1 answers

0
b.s On

You need to regenerate the Identity provider (IDP) XML file i.e federation-metadata.xml and exchange with the client i.e Service provider. As you mentioned that ADFS certificates were expired and you reconfigured the new certificates, so those play a significant role for encryption and signing of assertions issued from the IDP based on how the system is configured. You have made the changes on the IDP side but on SP side still, old federation-metadata.xml is in use with old certificates. When IDP issued assertions or response, that response is validated by using those certificates. When you regenerate that file it will contain the latest details related to certificates. So you need to regenerate the federation-metadata.xml and share with the service provider (SP) in order to fix the issue.