locked
Token-signing certificate renewal - invalid assertion RRS feed

  • Question

  • Hi,

    My ADFS server has auto-generated a new token-signing certificate as expected.

    Currently it is still secondary, but will be promoted to primary in a week or so.

    I've exported the new certificate (DER encoded) and uploaded onto the admin console of a couple of Relying Party Trusts.

    In the past this is all I've had to do but for some reason this time the applications don't like it.  Typical error is "Failed: Signature Invalid".  The SAML assertion validator also reports Signature issues.

    My understanding is that both primary and secondary certificates should work for a period.

    Any suggestions welcome.

    Tuesday, March 21, 2017 2:29 PM

Answers

  • After further investigation, the problem lies with the various applications.  Some can only cope with a primary certificate and ignore the secondary.  This unfortunately means I have to do the certificate change-over all in one, rather than having a few days to gradually move applications onto the new certificate.
    • Marked as answer by catmandu Tuesday, March 21, 2017 8:28 PM
    Tuesday, March 21, 2017 8:28 PM