locked
Do I need to resend federationmetadata.xml to all Relying Parties after enabling endpoint? RRS feed

  • Question

  • Hello,

    Our ADFS setup is: 1x ADFS 2.0 server on corpnet, 1x ADFS 2.0 Proxy on perimeter network.

    One of our software providers asks me to create Relying Party Trust to ADFS 2.0 for their application. They asked me to enable /adfs/services/trust/13/windowsmixed endpoint from our ADFS server.

    There's 5 other Relying Party Trusts on our ADFS server and I'm worried how enabling this endpoint might affect to existing RP's. When testing, I noticed that federationmetadata.xml is updated after you enable endpoints on the ADFS server. For example ID value in the beginning of xml file is changed.

    My question is, do I need to resend "new" federationmetadata.xml to all 5 Relying Parties after I enable this endpoint on our ADFS server? (Relying Parties are not able to download federationmetadata.xml from our ADFS due to firewall restrictions)

    Thank you already!

    Thursday, June 16, 2016 10:17 AM

Answers

  • I don't even think that this endpoint is anywhere on the Metadata. As long as your Token Signing cert or your trust identifier did not change, there is no need here to ask your partner to reload anything from the metadata.

    However, make sure they know how to do it anyways because at one point your Token Signing cert will expire and they will have to update their trust configuration.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 17, 2016 1:29 PM
  • No you don't. Your existing Relying Party Trusts (Service Providers) will keep working as they do today. The only one interested in your "new" FedMeta might be the Service Provider that asked you to enable that Endpoint.
    Friday, June 17, 2016 1:54 PM

All replies

  • I don't even think that this endpoint is anywhere on the Metadata. As long as your Token Signing cert or your trust identifier did not change, there is no need here to ask your partner to reload anything from the metadata.

    However, make sure they know how to do it anyways because at one point your Token Signing cert will expire and they will have to update their trust configuration.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, June 17, 2016 1:29 PM
  • No you don't. Your existing Relying Party Trusts (Service Providers) will keep working as they do today. The only one interested in your "new" FedMeta might be the Service Provider that asked you to enable that Endpoint.
    Friday, June 17, 2016 1:54 PM
  • Exactly the information I was looking for. Thank you Pierre and MolokoVelocette.

    Saturday, June 18, 2016 7:45 AM