One of the caveats when using ADFS as authentication provider in SharePoint is that out-of-the-box there is no way to automatically update the ADFS token signing certificate when it’s changed in the ADFS server. Many times, the ADFS admins leave the ADFS certificate auto rollover enabled. This means that ADFS will automatically create a new self-signed certificate and will change the primary certificate some days before the current one expires. Unless the SharePoint admin knows when the certificate rollover will happen, which isn’t usually the case, it will most probably render the ADFS authentication with SharePoint broken until the SharePoint admin realizes the certificate was changed and updates the certificate in the ADFS settings.
At the end of this post, you can find a PowerShell script that can be run in a scheduled task. What this function does is:
Using the AD FS Diagnostics PowerShell module, request a Security Token from the ADFS server in order to get the current primary signing certificate.
If the current primary certificate is not already in the SharePoint trust store, it will add it to the store.
Then, if the current primary certificate in ADFS is different from the current signing certificate in the ADFS login provider in SharePoint, it will update the provider to use this new certificate.
The script takes two arguments:
- FederationServer: this is the host name of the ADFS server, for example, fs.contoso.com
- TrustedProvider: this is the name of the AD FS login provider in SharePoint, something like “Contoso ADFS”. The following PowerShell will output the names of the trusted providers configured in SharePoint:
Get-SPTrustedIdentityTokenIssuer | ft Name
Even if you are not using the auto certificate rollover feature in ADFS and you manually update the token signing certificate, the above PowerShell can also help to update the certificate.
Finally, the requested Security Token only includes the last certificate in the certificate chain. This means that, if the ADFS signing certificate is not self-signed, then only the last certificate in the chain will be imported into SharePoint. SharePoint documentation says that you need to import all the certificates in the chain. However, this should have been done when initially configuring the ADFS provider in SharePoint so it’s not something you should need to care about when updating the certificate, unless you have changed the CA that issues the certificate.
Get the script from GitHub: Update-AdfsSigningCertificate.ps1