SyntaxHighlighter

Thursday, March 27, 2014

Change Certificate for Trusted Identity Provider


Many times we are required to update X.509 certificate for Trusted Identity Provider because certificate may have expired or may be we were using self-signed certificate and now wants to replace with commercial CA issued certificates.

Use this PowerShell commands to update certificate for existing Trusted Identity Provider.

$newCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2("C:\MyCerts\CA_Issued_Cert.cer")
New-SPTrustedRootAuthority -Name "New CA Issued Cert" -Certificate $newCert 

Set-SPTrustedIdentityTokenIssuer -Identity "My Id Provider" -ImportTrustCertificate $newCert

If you want to remove the old/expired certificate from SharePoint trust root, use this command to delete the certificate.

Remove-SPTrustedRootAuthority -Identity "My Old Cert"

Hope this helps.

-Javed.
Posted by at No comments:
Labels: ,

Saturday, March 1, 2014

Sign Out from STS in ASP.NET web application

This post is related to my last post about Claims Provider from IP-STS. STS was used by ASP.NET web application and require single sign out. But even after calling Session.Abandon() and FormsAuthentication.SignOut(), users were still logged in to STS.

After some looking around I found the answer on stackoverflow. The problem was Session.Abandon() and FormsAuthentication.SignOut() were clearing the user cookies and session state but STS token were never cleaned up. Use this code to complete Sign out process:
WSFederationAuthenticationModule fam =
     FederatedAuthentication.WSFederationAuthenticationModule;

string wrealm = string.Format("wtrealm={0}", fam.Realm);

string signOutUrl = 
     WSFederationAuthenticationModule.GetFederationPassiveSignOutUrl(
     fam.Issuer, null, wrealm);

string wreply = Request.Url.AbsoluteUri;

WSFederationAuthenticationModule.FederatedSignOut(
     new Uri(signOutUrl), new Uri(wreply));


You can paste this code in your logout handler and should clean up STS token. After logout STS will redirect browser to URL set by “wreply” and can be set to any URL. You don’t need to set this parameter, in case of null, STS will redirect to default application page set during STS configuration.

This routine send “wsignout1.0” command to STS to clean up token for the user. Here is the signout URL:

http://localhost:8888/?wa=wsignout1.0&wtrealm=http%3a%2f%2flocalhost%3a58077%2f&wreply=http%3a%2f%2flocalhost%3a58077%2fdefault.aspx


Hope this helps.

-Javed
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)