AnsweredAssumed Answered

Signing Certificate Rotation in ADFS for SAML

Question asked by Jack Butterworth on Jul 14, 2017
Latest reply on Mar 12, 2019 by Jack Butterworth



Is anyone using ADFS as a back end for SAML sign on? We've recently encountered an issue with signing certificates wherein prior to ADFSs signing certificate expiring, it adds a new certificate as a primary and rotates the current (soon to expire) certificate into secondary.


Our ADFS metadata then contains two signing certificates, but Canvas (and they have confirmed this) can only handle a single certificate for request signing, and merely choose the first one in the metadata. This causes issues as ADFS is now signing with a new certificate, but the old one continues to appear in the metadata for a week or so, and appears first (not that order should ever matter in XML), thus Canvas believes the incoming request to be invalid and refuses to authenticate the user.


If anyone's worked this out yet, or is current;y struggling with the same issue I'd love to hear from you.