vRickE Posted July 5 Share Posted July 5 I am working on an environment where we have this combination, and we are due to update the certificates soon. When I updated the certificate on the lab environment it broke SAML authentication with an error 401 right after the authentication. Upon inspecting the UAG and ADFS logs it seems like when the Relaying Party trust was configured from the file downloaded from the UAG, it included the old certificate in the signature. I am newish to SAML and ADFS, but is the expectation, any way to avoid? Or is my cert replacement going to have an additional level of pain to it? Quote Link to comment Share on other sites More sharing options...
Sean Massey-1 Posted July 9 Share Posted July 9 I have not used the UAGs with ADFS for SAML. My experience has been limited to Azure AD, and it has been a while since I've done that. I can't say I've ever been through a full certificate replacement cycle. That said, you're likely going to have some additional steps when doing cert replacement. How many UAGs do you have in your lab and production? And how are you managing the UAGs and your certificates? Are you using the PowerShell method or doing these manually? And are you using the same certificate on all of your UAGs or individual UAG certificates? Quote Sean Massey Independent Consultant/Analyst/Blogger | VCDX-EUC 247 Vice Chairman of the Board - World of EUC Blog: thevirtualhorizon.com Mastodon: @seanpmassey@vmst.io Instagram/Thread: @seanpmassey LI: https://www.linkedin.com/in/seanpmassey/ Link to comment Share on other sites More sharing options...
Rico Posted August 3 Share Posted August 3 Hi, First of all ADFS is a SAML identity provider. Please check this page which is telling you how to export the SAML metadata of your UAG and import it in to your ADFS server. In this XML file the certificate is included. https://my-virt.alfadir.net/index.php/2022/02/16/adfs-with-vmware-unified-access-gateway-uag/ Do not override or delete your existing relaying party! Always check your claims (User-principal-name to NameID). When the new relaying party is working, you can disable the other one. After a few days without any issue you can consider to delete it. Please note that you don’t have to download the Metadata file of your ADFS server. No changes needed to your UAG configuration this time (at least until your adfs token signing certificate is replaced). If you need some more assistance, please let me know. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.