Help

SSO & ADFS

pbenware1
Release Candidate Programs Tester

Posted on ‎03-07-2017 01:53 PM

Is anyone currently using ADFS SSO? We're having an issue getting it configured successfully.
We believe the issue is with the JSS signing certificate being used.

We keep getting errors that indicate a bad certificate.
From the ADFS log:
"An error occurred during an attempt to build the certificate chain for the relying party trust 'https://<myhiddenjss>:8443/saml/metadata' certificate identified by thumbprint '6BB3147677CEFD16BEA99AB972CAB689AF97B3D3'. Possible causes are that the certificate has been revoked, the certificate chain could not be verified as specified by the relying party trust's signing certificate revocation settings or certificate is not within its validity period."

We can't get it working with a JSS generated cert, and uploading a cert acquired from the ADFS guys will not work. When we upload their cert, it uploads successfully, but requires a Keystore password, Certificate key and certificate password that the ADFS guys say they don't have and aren't aware of.

Not sure what I'm missing here....

thx
Phil

0 Kudos
Reply
4 REPLIES 4

mschroder
Valued Contributor

Posted on ‎03-08-2017 01:21 AM

We have exactly the same problem on our test cluster were we use SSO with ADFS. In the end our ADFS experts proposed we skip signing the requests.

0 Kudos
Reply

pbenware1
Release Candidate Programs Tester

Posted on ‎03-08-2017 05:52 AM

Thanks @mschroder.
Was anyone able to identify a root cause, to your knowledge?

0 Kudos
Reply

jonrhoades
New Contributor

Posted on ‎08-27-2020 12:33 AM

Old post, but I had the same issue today. Seems that ADFS just doesn't like the Jamd SSO cert. I tried adding the cert to the ADFS server as is listed as Step 2 in the guide here https://www.jamf.com/jamf-nation/articles/436/configuring-single-sign-on-with-active-directory-federation-services, but still go the same issue. In the end I turned off certificate revocation checking on the ADFS server, not ideal but IMHO not a big risk.

In an administrative PowerShell prompt
Get the Identifier:

PS C:Usersjon> Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck Identifier SigningCertificateRevocationCheck ---------- --------------------------------- {https://shib.labarchives.com/sp/production} CheckChainExcludeRoot {https://jamfpro.my.domain/saml/metadata} CheckChainExcludeRoot

Note the JamfPro identifier

PS C:Usersjon> Set-ADFSRelyingPartyTrust -TargetIdentifier https://jamfpro.my.domain/saml/metadata -SigningCertificateRevocationCheck None -EncryptionCertificateRevocationCheck None

Check it worked

PS C:Usersjon> Get-AdfsRelyingPartyTrust | Select-Object Identifier, SigningCertificateRevocationCheck, EncryptionCertificateRevocationCheck Identifier SigningCertificateRevocationCheck ---------- --------------------------------- {https://shib.labarchives.com/sp/production} CheckChainExcludeRoot {https://jamfpro.my.domain/saml/metadata} None
Reply

Khawaja_ashakoo
New Contributor

Posted on ‎10-27-2020 06:56 AM

Thanks @jonrhoades. Which option did you use in security (jamf pro signing certificate) like no certificate, upload certificate and Generate certificate. If we upload the ADFS FederationMetadata.xml with certificate key included in it, does it work? What would be the URL in "Identity Provider Group Attribute Name (Name of the SAML assertion attribute containing your group (e.g., "GroupName")" if we use the username as mapping. Please, advise.

0 Kudos
Reply