Hi all,
I'm testing AD FS 2.0 RU3, in particular one issue that is flagged as fixed:
http://support.microsoft.com/?id=2790338
Some relying parties require that signature certificates are applied to the relying party for SAML requests, as signature certificates provide a critical security validation function and are defined in the SAML 2.0 specification. AD FS 2.0 is capable of allowing unique signature certificates to be applied to a relying party trust, but it only allows the same certificate to be applied to one relying party trust per AD FS 2.0 farm. This restriction may allow multiple relying parties to use the same signing certificate for SAML requests. AD FS 2.0 update rollup 3 removes this restriction and allows multiple relying parties to use the same signing certificate for SAML request.
I've tested this with two RPs (app1 and app2) sharing the same signing certificate via online metadata exchange. When I attempt to register the second RP, I get the following error:
MSIS7613: The signing certificate of the relying party trust is not unique across all relying party trusts in AD FS 2.0 configuration
I was under the impression that Issue 4 as defined in the Release Notes now allows shared certificates across multiple RPs. Has anyone else tested this successfully?
Regards,
Mylo