Replacing SSL certificate on Presentations2go server using SAML authentication

When you need to replace an expired SSL certificate on a presentations2go server, you need to take some special precautions when your server uses SAML authentication.

 

  1. Replace the certificate in IIS
  2. Change the private key permissions to allow access for network service account
      • Start the management console (mmc) and add the certificates Snapin.
      • File/Add-Remove Snapin/Certificates/Computer Account/Local Computer/
      • Navigate to /Personal/Certificates; choose the certificate and right click to select All Tasks/Manage Private keys and add Network Service
  3. Search for the subject in the new ssl certificate and if that’s different than the previous subject, update it in the web.config file in c:\inetpub\wwwroot\p2g
    1. <SigningCertificate findValue="CN=*.presentations2go.eu, OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
    2. The find value should contain 1 space character between the comma and next value. See yellow highlights above

 

Common configuration errors for saml2.0

 

Certificate find error

 

The cause of this error is the formatting of the following value in web.config:

    <SigningCertificate findValue="CN=*.presentations2go.eu,OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />

In the highlighted text you see there is no space character between the comma and OU.  It should be there.

    <SigningCertificate findValue="CN=*.presentations2go.eu, OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />

Error after login

 

This error means the certificate cannot be read by the application.

To solve this you need to give NetworkService account access to the private key (See 2 above).

The signature of the incoming message is invalid

 

 

This error is caused by the saml server (IdP) adding a signature in their metadata.

This can be solved either by making sure the signature is in the metadata or by ignoring the SignatureCheck.

To ignore the signaturecheck change web.config <IDPEndPoints> element setting:

<add id="https://My.SamlServer.com/authentication/idp/metadata">

to

<add id=" https://My.SamlServer.com" omitAssertionSignatureCheck="true">

Subject still cannot be found

 

In some situations, the certificate cannot be read using the x509FindType="FindBySubjectDistinguishedName". In that case you can use another method to find the certificate for example by using x509FindType= x509FindType="FindByThumbprint". Of course you will need to supply the thumbprint as the SigningCertificate findValue

 

Have more questions? Submit a request

Comments

Powered by Zendesk