AD FS Configuration – SSL certificate must be from a public certificate authority

We’re seeing a lot of activity in configuring environments for use of the AX mobile apps. One of the more complex steps in the configuration is setting up Active Directory Federation Services (AD FS).  One consistent issue we are seeing is lack of an SSL cert issued from a certificate authority (CA). Since the mobile app is exchanging credentials and tokens with AD FS, SSL is used to avoid eavesdropping on that exchange.  

In some cases a “self-signed” or “self-issued” cert is being used. Unfortunately in that case the mobile app won’t make an authentication request to AD FS since SSL isn’t correctly enabled. In order to use SSL, the site to which the mobile app is communicating (in this case AD FS) must have an SSL certificate issued from a recognized CA. The CA validates that the certificate is being issued to the owner of the domain from which the mobile app requests authentication. The cost for SSL certs ranges from less than 100 USD and up.

There is also another certificate involved in AD FS configuration known as the token signing cert. The purpose of that cert is to sign the token which is being provided to the mobile app after authenticating the user’s credentials. The token signing cert can be self-signed and does not need to be issued from a CA.

Following are some helpful references:

Here’s a link which explains the certificate requirements for AD FS https://technet.microsoft.com/en-us/library/dd807040(v=ws.10).aspx. 

This article explains the process to request a cert from a CA https://msdn.microsoft.com/en-us/library/windowsazure/gg981937.aspx.

For general information about SSL, refer to this article https://msdn.microsoft.com/en-us/library/windows/desktop/aa364691(v=vs.85).aspx.

Hopefully that will help clear up some of the confusion about SSL certs and AD FS.