Microsoft require(d?) that the certificate protecting the ECP endpoint for\u00a0a SAML2\/Shibboleth federated domain from Office365 was a “trusted” certificate (one issued by what Microsoft consider a trusted root CA) and also required that this certificate matched the trust-fabric certificate.<\/p>\n
These certificates expire and therefore need updating from time to time \ud83d\ude41<\/p>\n
Unfortunately this isn’t as clear as it could be\u2026 just running another Set-MSOLDomainSettings is just silently ignored (gee, thanks Microsoft!).<\/p>\n
The basic process is to move the domain back to\u00a0managed<\/em> (unfederated) mode then re-enable federated mode with the new certificate.<\/strong><\/p>\n I’ve used the following Powershell script (remember to Note the backticks allow the command to be spread over multiple lines.<\/em><\/p>\n In the past these two Set processes have taken quite a while depending on the size of the domain being moved however this appears to have been sorted now (yay!) so both were completed within about 10 seconds.<\/p>\n Remember to update your certificate in the IDP and restart that too!<\/p>\n See also:<\/p>\n Microsoft require(d?) that the certificate protecting the ECP endpoint for\u00a0a SAML2\/Shibboleth federated domain from Office365 was a “trusted” certificate (one issued by what Microsoft consider … Read more<\/a><\/p>\n","protected":false},"author":13,"featured_media":322,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28923,28933,122],"tags":[],"_links":{"self":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/317"}],"collection":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/comments?post=317"}],"version-history":[{"count":7,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/317\/revisions"}],"predecessor-version":[{"id":325,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/posts\/317\/revisions\/325"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/media\/322"}],"wp:attachment":[{"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/media?parent=317"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/categories?post=317"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.kent.ac.uk\/unseenit\/wp-json\/wp\/v2\/tags?post=317"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Connect-MsolService<\/code> beforehand!):<\/p>\n\r\n$dom = \"example.com\"\r\n$feddom = \"Federation for example.com\"\r\n$url = \"https:\/\/idp.example.com\/idp\/profile\/SAML2\/POST\/SSO\"\r\n$ecpUrl = \"https:\/\/idp.example.com:8443\/idp\/profile\/SAML2\/SOAP\/ECP\"\r\n$uri = \"https:\/\/idp.example.com\/idp\/shibboleth\"\r\n$logouturl = \"https:\/\/idp.example.com\/idp\/SingleLogout?ReturnTo=http:\/\/www.example.com\/\"\r\n$cert = \"MMIIDVzCCAj+gAwIBAgI...\"\r\n\r\nSet-MsolDomainAuthentication -domainname $dom -authentication managed\r\n\r\nSet-MsolDomainAuthentication `\r\n -domainname $dom `\r\n -FederationBrandName $feddom `\r\n -Authentication Federated `\r\n -PassiveLogOnUri $url `\r\n -ActiveLogOnUri $ecpUrl `\r\n -SigningCertificate $cert `\r\n -IssuerUri $uri `\r\n -LogOffUri $logouturl `\r\n -PreferredAuthenticationProtocol SAMLP\r\n\r\nGet-MsolDomainFederationSettings -domain $dom\r\n<\/pre>\n
\n