Updating SAML Response certificate in AD FS

Owned by Steinar Line
Last updated: Oct 29, 2020

When your certificate for signing SAML Responses is closing to expire it is necessary to prepare for replacing the certificate. The process starts with getting a new certificate from your certificate authority. This process varies much in organizations so this is not covered here.

First, you need to do is import the new certificate containing the key into your “Local Computer\Personal\Certificates” store typically as a *.pfx or *.p12 file or similar.

You may verify in properties for the certificate that it contains the private key (See key symbol in the below screenshot.)

Then open the AD FS tool and add the new certificate by performing the “Add Token-Signing Certificate”.

Then log in to Kantega SSO and navigate to the Metadata page of your AD FS setup. On this page press the “Refresh now” to have Kantega SSO trust the newly added certificate. Kantega SSO supports trusting more than one certificate in the Token-signing setup.

Finally, a few days before the old certificate expires set the new certificate as primary. This will make SAML Responses being signed by the new certificate from this time. You do not have to do anything more in Kantega SSO since it already trusts the new certificate. When everything works, you may remove the old certificate from AD FS. You might also perform another metadata refresh in K-SSO to remove trust to the old certificate.