Hi, we have implemented ADFS SSO using Multi-SSO Provider on Helsinki test instance.
The ADFS Certificate expires on 28th but SSO stopped working a few days before.
It looks like ADFS RollOver was enabled, and re-importing the metadata got everything working.
Is the metadata reimport already automated? Can it be scheduled? Is this bad practice to automate?
I see there is a ScriptInclude SSO_SAMLMetaUtil with method :
loadSAMLMetaFromURL
Is this called from a Schedule anywhere?
It also looks like ADFS can push this update out to Relying Parties (ie ServiceNow?) , rather than ServiceNow pulling. does this work ?
I've just had the same, 2 Identity providers, one rolled over as expected and one didn't. This is what I've had to do to get it to work as expected.
In ServiceNow go to Identity Provider in question and look under the advanced tab (screenshot below), you need to ensure you point the field "Metadata URL from which IDP properties are imported" to your ADFS xml, it should be in the format https://xxxxxx/federationmetadata/2007-06/federationmetadata.xml
In the related lists of x509 certs you should see 2, when your ADFS threshold for a new cert is met it should auto generate 2 more additional certs.
To check how many days before hand the cert should generate, open an ADFS powershell command and run Get-AdfsProperties then check what is set for CertificateGenerationThreshold (the default is usually 20 days)
