AD FS 2.0 RU3 - 共享签名证书的多个RP [英] AD FS 2.0 RU3 - Multiple RPs sharing signing certificates
问题描述
大家好,
我正在测试AD FS 2.0 RU3,特别是一个被标记为已修复的问题:
I'm testing AD FS 2.0 RU3, in particular one issue that is flagged as fixed:
http://support.microsoft.com/?id=2790338
某些依赖方要求将签名证书应用于依赖方以获取SAML请求,因为签名证书提供了关键的安全验证功能,并在SAML 2.0规范中定义。 AD FS 2.0能够允许将唯一签名证书应用于依赖方信任,但它只允许将相同的证书应用于每个AD FS 2.0服务器场的一个依赖方信任。此限制可能允许多个依赖方为SAML请求使用相同的签名
证书。 AD FS 2.0更新汇总3删除了此限制,并允许多个依赖方使用相同的签名证书进行SAML请求。
我已使用两个RP(app1和app2)通过在线元数据交换共享相同的签名证书。当我尝试注册第二个RP时,出现以下错误:
I've tested this with two RPs (app1 and app2) sharing the same signing certificate via online metadata exchange. When I attempt to register the second RP, I get the following error:
MSIS7613:依赖方信任的签名证书在AD FS中的所有依赖方信任中并不唯一2.0配置
我的印象是发行说明中定义的问题4现在允许跨多个RP的共享证书。有没有其他人成功测试过这个?
I was under the impression that Issue 4 as defined in the Release Notes now allows shared certificates across multiple RPs. Has anyone else tested this successfully?
问候,
Mylo
推荐答案
HI Milo
HI Milo
为了能够在信赖方信任中共享证书,安装汇总后还需要执行一个额外的步骤。它似乎在文档中缺失,因此我将离线更新。
In order to be able to share certificates across the relying party trusts, there is an additional step you need to follow after installing the rollup. It appears it was missing in the documentation so I will get this updated offline.
在c中:\program files\active directory federation services 2.0\SQL文件夹你应该有一个PostReleaseSchemaChanges.ps1脚本。您需要在主ADFS上执行此操作。请注意,您需要从提升的Powershell执行此操作,并且需要确保
脚本签名策略已更改为remotesigned以允许此脚本运行。
In the c:\program files\active directory federation services 2.0\SQL folder you should have a PostReleaseSchemaChanges.ps1 script. You need to execute this on your primary ADFS. Note you will need to do this from an elevated Powershell and need to ensure the script signing policy has been changed to something like remotesigned to allow this script to run.
完成后,您将能够配置RP信任相同的签名证书。
Once this is done, you will be able to configure RP trusts with the same signing certificate.
干杯
M
这篇关于AD FS 2.0 RU3 - 共享签名证书的多个RP的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
