Azure SAML IdP

Hi. Usually one is for signing and other is for encryption Signing is usually required to work but encryption is rarely used If imported from metadata names will have different endings

Correct the certificates have the same name but one has an extra "2" in it which I guess signifies it the second certificate that's imported. I've found that we have had to use both certificate at different times but unsure why or if we’re doing something wrong on the Azure side or F5?

Which version are you using ? I'm at 12.1.1 204 I think The other day I was setting up federation with IBM verse and I did find F5 imported incorrectly certs from metadata, maybe is a bug we can report. IBM has two, one for signing, one for encryption. Common names were like IBM_VERSE_S and IBM_VERSE_E. But when I came to the gui, to my surprise both were as IBM_VERSE_E What I did was, edit metadata with notepad, copy text for both certs between < and > and paste with notepad in a .txt and rename to .cer Then I imported back to gui and reassigned them to SP-connector Then certs show correct name and everything begin to work

Do you know the purpose of the cert? Is it for verify signature or encrypt assertion? As Sergi mentioned it could be one for signature verification and other could be for assertion encryption.

Sample IBM metadata. Look at KeyDescriptor use= After this comes the cert between > and <

MIIDHDCCAgSgAwIBAgIEUh+uUzANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEjMCEGA1UEAxMaTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIwHhcNMTMwODI5MjAyNTU1WhcNMzUwNzI1MjAyNTU1WjBQMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEjMCEGA1UEAxMaTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLWsd/pWy8A5qoZTjL5WzH/+/XHEe3MhupsY9xld1EgVd7ybCDI91uee+ZOxZh3EtMF6u54K8atQ7k61OnylpxVwWeqbck0C6eN/HzZbaOIu/GR4nFTSLl7J1j8DKGHxvyTsX1INS0Ba9s66mJVzDxa9LFN8RNQHmY9EeZ58IaQmNRnjDffT3AjBFITFlYlKxiVTp+zPh0iLqlB7dBYUYLyO11OhjPzTmH5wwgaz1eEtLbtukMW18wI0snzPLVqC7Rom6hHy7L6v+PHII19p7RmfHOZqcpe+pEZYgVhpX+gljJLwkGWEgsFKy/OsnTUOITtBQtCFnK5Kffeiq1RneZAgMBAAEwDQYJKoZIhvcNAQELBQADggEBABgY0tAwLkXyrywqnlT70KDuAlZF7XduXQpu/G1n7z4fMqELHU8qLLMIFcm5Ci+Dx8K53LPImVEI+jnMf9+av4d+tEOewXGUK9lg5HPMUZNvWr6559Ha0OGf8FmfDKmCqlfJJ1CJan/zLrw0wcCQBztXG7a79Q+S+LYVvh02CmB5iZ/+NEo6x3K5nv49r6/GhHLKj2YU1VHnF8PWHDW+9H6xNkKOYAbV0+FV72ZPCDW0mMN0MdziNn4wG5+Eq9XXl4ClUm6DH6KeuRxtaJsga3Hd9avgsr9cf4yh2bIF9KfMLBI/ER+xf/Q6RY2cDyS036hKkA92qy6SvKeUMCTj6GI= MIIDNjCCAh6gAwIBAgIEUh+uVTANBgkqhkiG9w0BAQsFADBdMQswCQYDVQQGEwJVUzEMMAoGA1UEChMDSUJNMQ4wDAYDVQQLEwVMb3R1czEwMC4GA1UEAxMnTG90dXNMaXZlIFNlcnZpY2UgUHJvdmlkZXIgLSBFbmNyeXB0aW9uMB4XDTEzMDgyOTIwMjU1N1oXDTM1MDcyNTIwMjU1N1owXTELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA0lCTTEOMAwGA1UECxMFTG90dXMxMDAuBgNVBAMTJ0xvdHVzTGl2ZSBTZXJ2aWNlIFByb3ZpZGVyIC0gRW5jcnlwdGlvbjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANBgpwmfaLDGGWyzDtJ2PC8TQ1KWaaOJTr4DRxphW1lzLVw0YZtwe0Ig1aO53NK5zzXXROcBLJGgULYdOzyGY7BCKac1pFhuwaGHJvfCc6iVElsuU5r1bpU7yUmIX3Of9kjXMgtCREDiXRrHxJZy+TFuZYikvYgpsTCkTA4v182rehLlvcO60Vu6sAwzsZbJ7h4XsyIk0Cr5Vzj8wVyr8j/CzdFSufVIefeee5PpiHjSYHFQ2RoJo83o+g/WujCpgj6w62Tk4hA4UGZM3XRy0EKvyR4QdQsIbRh9pASBqXNK5/Jn7AJzqWGSuOuXhWORXFveia0UwSdYMR6GmSJDcqkCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAJcZF+jwK/xnOswRUyLvkXdpU2ShKKwAlVMburH47zMeQ4oi1RWXa2PexbRk/LQUHC+6cWPUQ6ySQlHF73JEsVNw/rFfRyBIeHNibo+sIkkPZqymlm8SP9UZqgAriyVIqkvnqytRTm2+vsAIMv7/38XPXfHugDyxa0156reOh+rMIGznFUhawNOYsrfFC8YS7impwMjTgXxGvNrBOUKblM1vP4ftfS8JZFbehmjqCG4+aBJAKfY/4sCobksj/DzrFSH6t82ZhrH7V5MXmZ5VdU4On5FxIC4lZKq6wQCZfQnVR8cfCQWyGhFU2lXxNTUHpyfPp0U/Nj5/0aWQ+xyr4bA== ' target="_blank" rel="nofollow">http://www.w3.org/2001/04/xmlencrsa-1_5"/>;

It's used for application authenticate between our cloud environment ADFS server (I'm new to all this so bear with me) and some SharePoint server. So if both certificate are used for different task I don't understand why I'd need to switch to the other one for it to continue working.

We also had issue with F5 auto renewing these certificate but this seems to have been fixed a hotfix that was applied recently.

Version: BIG-IP 12.1.2 Build 0.184.249 Engineering Hotfix

I got lost Both ADFS server and SharePoint are on cloud ? Maybe are two different SP-services, one with its own cert ? Then you will need two IdP services If you can attach metadata.xml in any way maybe we could look on it

So are you saying you just imported the two certificate into the one crt file, imported that and enable it on the IdP. My only concert would be the IdP Automation that's used to keep these certificates up-to-date, would that still work on the combined certificate.

No no. I don't think this will work. In fact i think is impossible to do What I said previously is that I did found some kind of bug importing some certs from metadata file, or exporting from a dev F5 and importing into a prod F5, I can't remember exactly because I was about to begin fool at the moment. The procedure of the .txt/.cer file is a way to ensure they are imported correctly (comparing these with the ones on the gui) Of course any manipulation of the certs will broke any automation I think the best idea is if we can look at the metadata file

I think here BigIP is as SP. The IDP connector is configured using IdP automation. So there is no metadata import. It's directly pulled from Azure IdP. After the fix do you still see the issue?