Rotate the Citrix Cloud SAML signing certificate used by ADFS relying party trust

Rotate the Citrix Cloud SAML signing certificate used by ADFS relying party trust

book

Article ID: CTX562152

calendar_today

Updated On:

Description

On ADFS server --> Click on Event Viewer --> Applications --> ADFS --> Admin --> search for the error log at the time-stamp you replicated the login.

If you see the following error in the ADFS event logs:

Error: "Encountered error during federation passive request.
Additional Data
Protocol Name: Saml
Relying Party: https://saml.cloud.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.RevocationValidationException: MSIS3014: The encryption certificate of the relying party trust 'https://saml.cloud.com/39xxxx4ea-4xxe-416e-bd4f-4cxxxxxxx' identified by thumbprint '754B9208F1F75C5CC962750F3675C5D129471D80' is not valid. It might indicate that the certificate has been revoked, has expired, or that the certificate chain is not trusted.

Resolution

Upload a replacement Citrix Cloud SAML signing certificate to your ADFS relying party trust service provider (SP).

NOTE:  ADFS supports both automatic configuration using metadata and manual configuration of the Citrix Cloud relying party trust (SP).  It is necessary for the ADFS administrator to determine how the Citrix Cloud relying party trust (SP) was configured during initial setup before deciding if they need to perform these steps.

These steps are only necessary if the Citrix Cloud SAML connection and ADFS relying party trust is configured with all of the following settings:

  • Citrix Cloud SAML connection is configured with Sign Authentication Requests = Yes.
  • "Enter data about the relying party manually" was selected when configuring the Citrix Cloud relying party trust in ADFS.
  • Citrix Cloud relying party trust (SP) is configured to check for signed requests.  
    1. Open PowerShell on your ADFS server and run the following ADFS PowerShell cmd.
Get-ADFSRelyingPartyTrust -name "CitrixCloudProduction"
  1. Check the value of the following Citrix Cloud relying party trust settings.

SignedSamlRequestsRequired       : True
SamlResponseSignature                : MessageAndAssertion
RequestSigningCertificate             

[Subject] CN=samlsigning.cloud.com, O="Citrix Systems, Inc.", L=Fort Lauderdale, S=Florida, C=US                                       
[Issuer]  CN=DigiCert TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US                                     
[Serial Number02E2BC96A9EA4856BD2F43166B48262B                                      
[Not Before] 8/6/2022 12:00:00 AM                                    
[Not After] 8/5/2023 11:59:59 PM                                       
[Thumbprint] 10FB31501544BC011461BDFA8448311F8E71E9EC

 

  1. Update the Citrix Cloud SAML signing certificate here within ADFS if it is due to expire.
SAML cert.png
 

Problem Cause

ADFS relying party trust SAML app has an invalid SAML signing certificate configured, or the signing verification certificate has already expired.

Additional Information

Service Provider SAML Signing Certificate FAQ
SAML Signing Certificate Rotation Required Before Expiration
Powered by Wolken Software