We're here to help

    Replacing SSL certificate on Presentations2go server using SAML authentication

    Follow

    When you need to replace an expired SSL certificate on a presentations2go server, you need to take some special precautions when your server uses SAML authentication.

     

    1. Replace the certificate in IIS
    2. Change the private key permissions to allow access for network service account
        • Start the management console (mmc) and add the certificates Snapin.
        • File/Add-Remove Snapin/Certificates/Computer Account/Local Computer/
        • Navigate to /Personal/Certificates; choose the certificate and right click to select All Tasks/Manage Private keys and add Network Service
    3. Search for the subject in the new ssl certificate and if that’s different than the previous subject, update it in the web.config file in c:\inetpub\wwwroot\p2g
      1. <SigningCertificate findValue="CN=*.presentations2go.eu, OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />
      2. The find value should contain 1 space character between the comma and next value. See yellow highlights above

     

    Common configuration errors for saml2.0

     

    Certificate find error

     

    The cause of this error is the formatting of the following value in web.config:

        <SigningCertificate findValue="CN=*.presentations2go.eu,OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />

    In the highlighted text you see there is no space character between the comma and OU.  It should be there.

        <SigningCertificate findValue="CN=*.presentations2go.eu, OU=Domain Control Validated, O=*.presentations2go.eu" storeLocation="LocalMachine" storeName="My" x509FindType="FindBySubjectDistinguishedName" />

    Error after login

     

    This error means the certificate cannot be read by the application.

    To solve this you need to give NetworkService account access to the private key (See 2 above).

    The signature of the incoming message is invalid

     

     

    This error is caused by the saml server (IdP) adding a signature in their metadata.

    This can be solved either by making sure the signature is in the metadata or by ignoring the SignatureCheck.

    To ignore the signaturecheck change web.config <IDPEndPoints> element setting:

    <add id="https://My.SamlServer.com/authentication/idp/metadata">

    to

    <add id=" https://My.SamlServer.com" omitAssertionSignatureCheck="true">

    Subject still cannot be found

     

    In some situations, the certificate cannot be read using the x509FindType="FindBySubjectDistinguishedName". In that case you can use another method to find the certificate for example by using x509FindType= x509FindType="FindByThumbprint". Of course you will need to supply the thumbprint as the SigningCertificate findValue

     

    Was this article helpful?
    0 out of 0 found this helpful

    Comments