0

We have working ADFS 2016 server with over 100 clients as claims provider trusts. Now I need to join to a local government SAML2 system, which is common solution for many goverment bodies. It is compatible with our ADFS setup except they require (without any valid reason) us to use special goverment signed certificates as a token signing (and possibly encryption) certificate. With over 100 existing customer, which do not all update from our metadata automatically, I do NOT want to change our current token signing/encryption certificates in our published metadata.

Is there some way to handle this situation in ADFS server?

Can I install this goverment token signing certificate to the ADFS server as a second certificate and make it so that it is NOT published in our metadata?

And this second certificate should be used only with some selected claim provider trusts so that ADFS server by default uses our current certificate but uses the goverment certificate for logins from selected claim provider trusts that are linked to government SAML2 system?

Or is the completely different ADFS server our only option?

Thanks.

dvlpr
  • 31
  • 5

1 Answers1

0

No - IDP only use one certificate. Azure AD works exactly the same way.

Your only option is another IDP.

This doesn't have to be ADFS - just another IDP.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Just a comment on AAD. In AAD when you federate an app, it depends on whether you federate with tenant directly or using an app specific metadata. If you add a non gallery app, you get token signing certs that differ from the tenant itself. So it is possible to have 2 x SAML RP with each getting a different token signed by different certs from AAD (despite configured as apps in same tenant). But as far as OP question is concerned he needs another AD FS. – maweeras Aug 24 '18 at 16:42
  • "You only option is another IDP" And I can not have another IDP in the same server with ADFS? – dvlpr Aug 25 '18 at 07:38
  • You cannot have two ADFS on the same Windows server. Obviously, you can have as many cloud IDP as you like or you could run e.g. identityserver on the same box. – rbrayb Aug 26 '18 at 18:52