SharePoint ADFS Cert expiring / rollover


If your ADFS cert is expiring, the SharePoint site will throw this error:

The SAML Assertion is either not signed or the signature’s KeyIdentifier cannot be resolved to a SecurityToken. Ensure that the appropriate issuer tokens are present on the token resolver

To resolve this, just go into your ADFS server, export the new Token Signing certificate, then run this in CA server:

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("D:\SSL Certificate\ADFSCert.cer")
New-SPTrustedRootAuthority -Name “Token Signing Certificate” -Certificate $cert
$sts = Get-SPTrustedIdentityTokenIssuer
$sts | Set-SPTrustedIdentityTokenIssuer -ImportTrustCertificate $cert

And voila! it will start working again.


Post a Comment