question

Ines-8171 avatar image
0 Votes"
Ines-8171 asked ·

Active Directory Federation Service - Office365

Hi

  1. For O365 relying party trust: the Encryption Certificate is blank? is it normal? can we setup certificat? if yes How?

  2. For Token Decrypting and Token signing Certificates are by default self-signed. (not issued by a CA). May be issued by a CA? if yes, is it recommended

Thanks

adfs
· 2
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I'm not sure you will get a lot of answers to your original post because it's quite un-precise.
Maybe you can add more information in order to understand what you're trying to do and what is your context deployment (in short).

1 Vote 1 ·

Thanks for your comment.
We configured ADFS for O365. On properties of relaying trust party on Encryption Tab no certification is defined. So, my question can we setup encryption certificate in this case?

My second question is regarding the Token encryption and Token signing certficates. Both are selfsigned not issued by certificate authority. So is it recommended to change those certificates from selfsigned to signed by CA? Because I heard that's it's recommended to let's them selfsigned and I want to have a confirmation.
Hope it's more clear

0 Votes 0 ·

1 Answer

piaudonn avatar image
1 Vote"
piaudonn answered ·

First of all, you do not need ADFS to have Single Sign On between your on-premises clients, you can use Azure AD Connect Seamless SSO. Have a look if you are interested: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso.

Then, the token issued by ADFS is not encrypted. So there is no encryption certificate to use on the trust. That's expected. Note that the token is signed and it is transported over TLS.

By default, token signing and token decrypting certificates are self-signed. Those certificates automatically roll-over and unless you have a interal policy that prevents you from using self-signed certificates, you can just keep those as-is. Certification revocation is not performed on those certificates.



· 3
10 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Piaudonn for you answer.
Sorry for the 1st question I forgot to precise we have hybrid architecture that's why we use ADFS (internal policy) and to configure the alternate login ID
If you have better suggestion, it's more than welcome :)
It's more clear by your answer

Thanks

0 Votes 0 ·

Glad it helped!

I am not sure what you call hybrid architecture. If it is about the fact you have hybrid identity (the users and devices exist both on-premises and in the cloud) you can still use the authentication mode I mentionned above. If you want the authentication to always stay on-premises, you can also achieve SSO for on-premises users with the Pass-Through Authentication with the SSO option. It supports alternate ID too.


1 Vote 1 ·

you're right, I mean hybrid Identity. actually the ADFS is implemented but after reviewing the Pass-Through Authentication with the SSO option, I think will migrate shortly to this mode. it's better.

juste one detail, for encryptions certificate to use on the trust, I refered to the article https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/best-practices-for-secure-planning-and-deployment-of-ad-fs/

where they mention

Use token encryption, especially if you are using supporting SAML artifact resolution.

Encryption of tokens is strongly advised to increase security and protection against potential man-in-the-middle (MITM) attacks that might be tried against your AD FS deployment. Using use encryption might have a slight impact on throughout but in general, it should not be usually noticed and in many deployments the benefits for greater security exceed any cost in terms of server performance.

can we Apply this in case of O365 ADFS authentication?

0 Votes 0 ·