I've recently renewed our token signing and decrypting certificates in ADFS, and I'm about to distribute them since some of our applications can't update from the metadata. My main question is whether relying party trusts ever use the token decrypting certificate, or is it strictly the token signing certificate? I believe the token decrypting certificate is only needed when ADFS receives tokens from an upstream identity provider. Are there any potential issues I should be aware of? I assume that the new secondary token signing certificate just needs to be given to the applications using ADFS, and once they all update, we can roll over the certificate.
2 Answers
It really depends on the application and relying party. In my experience with ADFS, I've never encountered a relying party that required the tokens to be encrypted; they usually just need them signed. Also, if you're transitioning away from ADFS, that's a smart move!
I see you’re moving away from ADFS! Where are you planning to migrate to?
The token decrypting certificate is only necessary for downstream identity providers that encrypt the tokens sent to ADFS. The token signing certificate, however, is used by both downstream identity providers and upstream applications. Here are a couple of things to watch for:
- Some upstream apps may only support one certificate, which means if you set up the new token signing certificate, it may only work after you switch it in ADFS.
- If you manually import metadata into an upstream app, or if it pulls metadata automatically, and that app only checks the first certificate listed, it might glitch until you make the switch. Ideally, the app should look for either of the first two token signing certificates in the metadata or at least the last one.
To figure out the behavior, check the app documentation, reach out to the vendor, or just test it out! I've designed ADFS infrastructures with numerous apps and planned around such scenarios to ensure everything runs smoothly.
That's what I thought too. We're also hurrying to migrate from ADFS since I've just taken over this project. We're transitioning to Okta, but have to renew these certs first because we won't have everything moved before the current ones expire.