Forum Discussion

Nimbostratus

Mar 27, 2017

Azure SAML IdP

So we have an external IdP that is created using the federation information that we can download from our Azure account. https://login.microsoftonline.com/{customer_id_string}/federationmetadata...

BIG-IP

BIG-IP Access Policy Manager (APM)

devops

Sergi_Munyoz_24

Nimbostratus

Mar 28, 2017

Hi Chris. I'm not able to test import of this on my F5, due to text format I suppose... Assuming SAML begins from: "IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol" I can see 3 certificates, where 2 self-signed referring to CN=accounts.accesscontrol.windows.net are almost equal in parameters (with 2 weeeks of difference in issuing date, same key lenght,...) So I think is impossible to say which one is right unless you ask it to metadata issuer (Mr. MSft), or unless Idp Automation (no experience with this) chooses the right one for you

Chris_Guthrie
Nimbostratus
Mar 28, 2017
Yeah I kind of agree with what your saying (it's between those 2 certs I've been switching) been trying to get that answer from MS still working that side. Thanks
Sergi_Munyoz_24
Nimbostratus
Mar 28, 2017
No other way to solve it I think. Good luck with the question
kunjan
Nimbostratus
Mar 28, 2017
Checking further shows MS also mention about this.

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata

A federation metadata document published by Azure AD can have multiple signing keys, such as when Azure AD is preparing to update the signing certificate. When a federation metadata document includes more than one certificate, a service that is validating the tokens should support all certificates in the document.

I don't think APM support this. May want to raise a support case.