locked
Certificates needed for AD and ADFS RRS feed

  • Question

  • We are implementing federated authentication using an external identity provider.  Here is our current configuration:

    - Within our domain's internal network ("domain1") we have 2 non-related websites running on https.  Each website has its own SSL certificate (so, let's say there is one SSL certificate for "www.website1.com" and another SSL certificate for "www.website2.com".

    - Both websites are Sharepoint based and will delegate authentication to ADFS.  AD is supposed to then communicate with ADFS Proxy and then that authentication request will be passed on to the external identity provider.

    I'm confused as to which certificate is needed on ADFS and ADFS Proxy.  From the following article:

    https://technet.microsoft.com/en-us/library/dd807040.aspx

    It looks like we need "Service communication certificate" and "Secure Sockets Layer (SSL) certificate".  In the "service communication certificate" it says "By default, this is the same certificate that a federation server uses as the Secure Sockets Layer (SSL) certificate in Internet Information Services (IIS)"

    So my question is: do I need a completely separate SSL certificate issued by a trusted CA to use for ADFS and ADFS Proxy or can I use one of the two SSL certificates used by our websites?  Note that ADFS Proxy and ADFS will be providing authentication for both websites so I'm not sure whether using the SSL certificate (it's already issued by a trusted CA) would work.

    If we do need a separate SSL certificate for ADFS and ADFS Proxy, can we get just a regular SSL certificate (e.g. issued for "domain1" or do we need to get a wildcard certificate (since we have these two websites on the network that use completely two different URLs.  I'm still confused as to whether the SSL certificates used by our websites are in any way related to the SSL certificate needed for communication between ADFS and ADFS Proxy so any clarification on this would be greatly appreciated.

    thanks,

    thanks,

    Tuesday, February 16, 2016 1:57 PM

Answers

  • That link refers to 2012 not 2012 R2. In R2, ADFS does not use IIS.

    No - you need another generic SSL certificate e.g. login.websites.com. Generic in the sense that you can use it across all websites you may run up.

    The SSL certificates for your websites are not related to the ADFS SSL certificate.

    Flow : user navigates to www.website1.com, requires authentication, redirected to login.websites.com, authenticates, redirected back to www.website1.com with token.

    Tuesday, February 16, 2016 5:57 PM