Renew token signin certificate for Office 365 and Azure Active Directory when you have a non windows federate service

A few days ago I had to renew the token signin certificate in the Security Token Service (non windows) deployed on premises.

In this case the Security Token Service was running under F5 BIG-IP Access Policy Manager: Authentication and Single Sign-On

Once I did it, the question was,

Should i do anything else in Azure and O365 to maintain the trust federation?

If you have a Windows Federation Service, typical Known as ADFS, you don´t need to do any extra task.

By default, ADFS includes an auto-renewal process called AutoCertificateRollover.

If you have ADFS 2.0 or later, Office 365 and Azure AD automatically update your certificate before it expires when AutoCertificateRollover is set to True.

You can check this value running the cmdlet Get-ADFSProperties

But in this case the answer to this question is YES.

I don´t have a Windows Federation Service, so I had to do an extra task to update my signin certificate in order to maintain the Trust Federation.

At this point I am going to explain what I did.

First at all, I saved the new certificate as pf-signing.crt in my computer in the following path: c:\temp

I opened a new file in notepad and added the following lines:

Note: Be in mind to put your Office 365 domain name first.

$certFile = “C:\temp\pf-signing.cr”

$cert = [IO.File]::ReadAllText($certFile)

$cert = $cert.replace(“—–BEGIN CERTIFICATE—–“,””)

$cert = $cert.replace(“—–END CERTIFICATE—–“,””)

$cert = $cert.replace(“`r”,””)

$cert = $cert.replace(“`n”,””)

$domainName = “myO365domain”

$protocol = “SAMLP”

Set-MsolDomainFederationSettings -DomainName “$domainName” -SigningCertificate “$cert” -PreferredAuthenticationProtocol $protocol

Then I saved it as a PowerShell script file cert-update.ps1 in C:\temp folder.

Then I opened Azure Active Directory Module for Windows PowerShell to connect to my Office 365 tenant with admin credentials

This can be done by running connect-msolservice

And finally I runned the PowerShell script created above in the local path: c:\temp

.\cert-update.ps1

Advertisements


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s