Certificate lifecycle management for on-premises Active Directory Federation Services
When integrating on-premises Active Directory with DigiCert ONE, the Active Directory Federation Services (AD FS) is one choice you can use and deploy in your local environment to function as the Identity Provider (IdP).
While operating AD FS, you need to manage the lifecycle of the following certificates, which are essential for the authentication process:
Service Communications Certificate
This is the TLS (SSL) certificate used to secure HTTPS communication with AD FS. If you do not have a public TLS certificate installed, you can obtain one through either of the following options:
Obtain a certificate from DigiCert (consult your sales representative), or
Issue a certificate from DigiCert® Trust Lifecycle Manager using the
Generic Private Server Certificatetemplate.1
To use a private TLS certificate, you must install the private CA chain to the trusted CA store on the local system.
Token-signing certificate
This certificate is used by AD FS to digitally sign the SAML response sent to DigiCert ONE. This certificate is critical to ensure that the response is trusted by DigiCert ONE. Refer to the Microsoft documentation titled Obtain and configure token signing and token decryption certificates for AD FS for details on rolling over this certificate. After rolling over this certificate, you must update the IdP metadata in the DigiCert ONE configuration portal. Refer to Enable and configure single sign-on with SAML for more details on configuring the IdP metadata.
Aviso
If the IdP metadata in DigiCert ONE is not updated when the token-signing certificate rollover takes place, user authentication will fail.
Token-decrypting certificate
This certificate is used by AD FS to decrypt incoming SAML requests from the Service Provider. Since DigiCert ONE does not support encrypted SAML requests, this certificate is not used in the DigiCert ONE workflow. However, it is still recommended to replace this certificate alongside the others as part of regular certificate maintenance. Refer to the Microsoft documentation titled Obtain and configure token signing and token decryption certificates for AD FS for details on rolling over this certificate.