Microsoft require(d?) that the certificate protecting the ECP endpoint for a SAML2/Shibboleth federated domain from Office365 was a “trusted” certificate (one issued by what Microsoft consider a trusted root CA) and also required that this certificate matched the trust-fabric certificate.
These certificates expire and therefore need updating from time to time 🙁
Unfortunately this isn’t as clear as it could be… just running another Set-MSOLDomainSettings is just silently ignored (gee, thanks Microsoft!).
The basic process is to move the domain back to managed (unfederated) mode then re-enable federated mode with the new certificate.
I’ve used the following Powershell script (remember to Connect-MsolService
beforehand!):
$dom = "example.com" $feddom = "Federation for example.com" $url = "https://idp.example.com/idp/profile/SAML2/POST/SSO" $ecpUrl = "https://idp.example.com:8443/idp/profile/SAML2/SOAP/ECP" $uri = "https://idp.example.com/idp/shibboleth" $logouturl = "https://idp.example.com/idp/SingleLogout?ReturnTo=http://www.example.com/" $cert = "MMIIDVzCCAj+gAwIBAgI..." Set-MsolDomainAuthentication -domainname $dom -authentication managed Set-MsolDomainAuthentication ` -domainname $dom ` -FederationBrandName $feddom ` -Authentication Federated ` -PassiveLogOnUri $url ` -ActiveLogOnUri $ecpUrl ` -SigningCertificate $cert ` -IssuerUri $uri ` -LogOffUri $logouturl ` -PreferredAuthenticationProtocol SAMLP Get-MsolDomainFederationSettings -domain $dom
Note the backticks allow the command to be spread over multiple lines.
In the past these two Set processes have taken quite a while depending on the size of the domain being moved however this appears to have been sorted now (yay!) so both were completed within about 10 seconds.
Remember to update your certificate in the IDP and restart that too!
See also:
This is how I remember it to work, yes. The documentation back then was pretty atrocious but it’s improved, that said I can’t find any reference to it now…
I ran into your post while debugging some ECP problems of my own. I would like some clarification. Do you mean that the ECP SSL certificate and the signing certificate for the web sso profiles must be the same and publicly trusted ?