docs.microsoft.com Open in urlscan Pro
2600:1400:d:58f::353e  Public Scan

Submitted URL: https://protect-us.mimecast.com/s/JVzTCpYPzYIgKEN2TDgHVX?domain=emails.azure.microsoft.com
Effective URL: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/tutorial-manage-certificates-for-federated-single-sign-on
Submission: On September 06 via manual from IN — Scanned from US

Form analysis 0 forms found in the DOM

Text Content

Skip to main content


This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security
updates, and technical support.

Download Microsoft Edge More info

Table of contents Exit focus mode

Read in English Save
Table of contents Read in English Save Feedback Edit

Twitter LinkedIn Facebook Email
Table of contents


TUTORIAL: MANAGE CERTIFICATES FOR FEDERATED SINGLE SIGN-ON

 * Article
 * 06/02/2022
 * 7 minutes to read
 * 5 contributors




IN THIS ARTICLE

In this article, we cover common questions and information related to
certificates that Azure Active Directory (Azure AD) creates to establish
federated single sign-on (SSO) to your software as a service (SaaS)
applications. Add applications from the Azure AD application gallery or by using
a non-gallery application template. Configure the application by using the
federated SSO option.

This tutorial is relevant only to apps that are configured to use Azure AD SSO
through Security Assertion Markup Language (SAML) federation.

Using the information in this tutorial, an administrator of the application
learns how to:

 * Generate certificates for gallery and non-gallery applications
 * Customize the expiration dates for certificates
 * Add email notification address for certificate expiration dates
 * Renew certificates


PREREQUISITES

 * An Azure account with an active subscription. If you don't already have one,
   Create an account for free.
 * One of the following roles: Global Administrator, Privileged Role
   Administrator, Cloud Application Administrator, or Application Administrator.
 * An enterprise application that has been configured in your Azure AD tenant.


AUTO-GENERATED CERTIFICATE FOR GALLERY AND NON-GALLERY APPLICATIONS

When you add a new application from the gallery and configure a SAML-based
sign-on (by selecting Single sign-on > SAML from the application overview page),
Azure AD generates a self-signed certificate for the application that is valid
for three years. To download the active certificate as a security certificate
(.cer) file, return to that page (SAML-based sign-on) and select a download link
in the SAML Signing Certificate heading. You can choose between the raw (binary)
certificate or the Base64 (base 64-encoded text) certificate. For gallery
applications, this section might also show a link to download the certificate as
federation metadata XML (an .xml file), depending on the requirement of the
application.

You can also download an active or inactive certificate by selecting the SAML
Signing Certificate heading's Edit icon (a pencil), which displays the SAML
Signing Certificate page. Select the ellipsis (...) next to the certificate you
want to download, and then choose which certificate format you want. You have
the additional option to download the certificate in privacy-enhanced mail (PEM)
format. This format is identical to Base64 but with a .pem file name extension,
which isn't recognized in Windows as a certificate format.




CUSTOMIZE THE EXPIRATION DATE FOR YOUR FEDERATION CERTIFICATE AND ROLL IT OVER
TO A NEW CERTIFICATE

By default, Azure configures a certificate to expire after three years when it's
created automatically during SAML single sign-on configuration. Because you
can't change the date of a certificate after you save it, you have to:

 1. Create a new certificate with the desired date.
 2. Save the new certificate.
 3. Download the new certificate in the correct format.
 4. Upload the new certificate to the application.
 5. Make the new certificate active in the Azure Active Directory portal.

The following two sections help you perform these steps.


CREATE A NEW CERTIFICATE

First, create and save new certificate with a different expiration date:

 1.  Sign in to the Azure Active Directory portal. The Azure Active Directory
     admin center page appears.
 2.  Select Enterprise applications.
 3.  From the list of applications, select your desired application.
 4.  Under the Manage section, select Single sign-on.
 5.  If the Select a single sign-on method page appears, select SAML.
 6.  In the Set up Single Sign-On with SAML page, find the SAML Signing
     Certificate heading and select the Edit icon (a pencil). The SAML Signing
     Certificate page appears, which displays the status (Active or Inactive),
     expiration date, and thumbprint (a hash string) of each certificate.
 7.  Select New Certificate. A new row appears below the certificate list, where
     the expiration date defaults to exactly three years after the current date.
     (Your changes haven't been saved yet, so you can still modify the
     expiration date.)
 8.  In the new certificate row, hover over the expiration date column and
     select the Select Date icon (a calendar). A calendar control appears,
     displaying the days of a month of the new row's current expiration date.
 9.  Use the calendar control to set a new date. You can set any date between
     the current date and three years after the current date.
 10. Select Save. The new certificate now appears with a status of Inactive, the
     expiration date that you chose, and a thumbprint.
     
     Note
     
     When you have an existing certificate that is already expired and you
     generate a new certificate, the new certificate will be considered for
     signing tokens, even though you haven't activated it yet.

 11. Select the X to return to the Set up Single Sign-On with SAML page.


UPLOAD AND ACTIVATE A CERTIFICATE

Next, download the new certificate in the correct format, upload it to the
application, and make it active in Azure Active Directory:

 1. View the application's additional SAML sign-on configuration instructions by
    either:
    
    * Selecting the configuration guide link to view in a separate browser
      window or tab, or
    * Going to the set up heading and selecting View step-by-step instructions
      to view in a sidebar.

 2. In the instructions, note the encoding format required for the certificate
    upload.

 3. Follow the instructions in the Auto-generated certificate for gallery and
    non-gallery applications section earlier. This step downloads the
    certificate in the encoding format required for upload by the application.

 4. When you want to roll over to the new certificate, go back to the SAML
    Signing Certificate page, and in the newly saved certificate row, select the
    ellipsis (...) and select Make certificate active. The status of the new
    certificate changes to Active, and the previously active certificate changes
    to a status of Inactive.

 5. Continue following the application's SAML sign-on configuration instructions
    that you displayed earlier, so that you can upload the SAML signing
    certificate in the correct encoding format.

If your application doesn't have any validation for the certificate's
expiration, and the certificate matches in both Azure Active Directory and your
application, your application is still accessible despite having an expired
certificate. Ensure your application can validate the certificate's expiration
date.


ADD EMAIL NOTIFICATION ADDRESSES FOR CERTIFICATE EXPIRATION

Azure AD will send an email notification 60, 30, and 7 days before the SAML
certificate expires. You may add more than one email address to receive
notifications. To specify the email address(es) you want the notifications to be
sent to:

 1. In the SAML Signing Certificate page, go to the notification email addresses
    heading. By default, this heading uses only the email address of the admin
    who added the application.
 2. Below the final email address, type the email address that should receive
    the certificate's expiration notice, and then press Enter.
 3. Repeat the previous step for each email address you want to add.
 4. For each email address you want to delete, select the Delete icon (a garbage
    can) next to the email address.
 5. Select Save.

You can add up to five email addresses to the Notification list (including the
email address of the admin who added the application). If you need more people
to be notified, use the distribution list emails.

You'll receive the notification email from azure-noreply@microsoft.com. To avoid
the email going to your spam location, add this email to your contacts.


RENEW A CERTIFICATE THAT WILL SOON EXPIRE

If a certificate is about to expire, you can renew it using a procedure that
results in no significant downtime for your users. To renew an expiring
certificate:

 1. Follow the instructions in the Create a new certificate section earlier,
    using a date that overlaps with the existing certificate. That date limits
    the amount of downtime caused by the certificate expiration.

 2. If the application can automatically roll over a certificate, set the new
    certificate to active by following these steps:
    
    1. Go back to the SAML Signing Certificate page.
    2. In the newly saved certificate row, select the ellipsis (...) and then
       select Make certificate active.
    3. Skip the next two steps.

 3. If the application can only handle one certificate at a time, pick a
    downtime interval to perform the next step. (Otherwise, if the application
    doesn’t automatically pick up the new certificate but can handle more than
    one signing certificate, you can perform the next step anytime.)

 4. Before the old certificate expires, follow the instructions in the Upload
    and activate a certificate section earlier. If your application certificate
    isn't updated after a new certificate is updated in Azure Active Directory,
    authentication on your application may fail.

 5. Sign in to the application to make sure that the certificate works
    correctly.

If your application doesn't validate the certificate expiration configured in
Azure Active Directory, and the certificate matches in both Azure Active
Directory and your application, your application is still accessible despite
having an expired certificate. Ensure your application can validate certificate
expiration.


RELATED ARTICLES

 * Application management with Azure Active Directory
 * Single sign-on to applications in Azure Active Directory
 * Debug SAML-based single sign-on to applications in Azure Active Directory









FEEDBACK

Submit and view feedback for

This product This page
View all page feedback

Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Version Docs
 * Blog
 * Contribute
 * Privacy & Cookies
 * Terms of Use
 * Trademarks
 * © Microsoft 2022


IN THIS ARTICLE




Theme
 * Light
 * Dark
 * High contrast

 * 
 * Previous Version Docs
 * Blog
 * Contribute
 * Privacy & Cookies
 * Terms of Use
 * Trademarks
 * © Microsoft 2022