AAD Enterprise application SAML signing certificate

Question

Hi,

When we configure enterprise application in AAD with a non-gallery app. In the SAML signing certificate, there is 2 options "Create New" or "Import".
Create new will create a self-signed (issued by Microsoft Azure Federated SSO Certificate" or you can import a public certificate from a third party Certificate Authority.

My question is is there any best practices around that ?

If i use the "self-signed" certificate, does it cause any issues ?
What happen when it expire after the 3 years ? Does it renew automatically ?

Thanks!

Answer 1

Hello @cthivierge , thank you for reaching out. There won't be any problem if you use the already provided self-signed certificate. Regarding the renewal of the certificates, you would have to renew that manually, but, before the cert expires, there would be a notification email that you would receive updating you about the date for the cert expiration.

You can check the following article for configuring the notification email and also steps for renewing the certificate here: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on#add-email-notification-addresses-for-certificate-expiration

The following article is worth checking out as it speaks about managing the certs SSO in Azure AD: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/manage-certificates-for-federated-single-sign-on

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as an Answer; if the above response helped in answering your query.

Answer 2

Thanks for the answer. We will test this solution within next few weeks.
I was just in the prerequisites and i just wanted to know if we will have to buy a public certificate.

Thanks!