If you are using a self-signed SSL certificate for your DualShield SSO, then you need to import the DualShield SSO's CA certificate into the local computer certificate store as a root trusted CA on your ADFS server, and you need to disable the certificate revocation check

Import Certificates

First, you need to import the DualShield SSO's CA certificate


If you are using a self-signed SSL certificate for your DualShield server, then you can download its CA certificate.

Navigate to "SSO | SSO Servers"

Click the context menu of the Single Sign-on server and select "Download CA Certificate"


In order to import a certificate into Windows certificate store, you need to access it from the Microsoft Management Console (MMC).

First, you need to add the Certificates Snap-In into the MMC


Open the MMC (Start > Run > MMC)

Go to File > Add/Remove Snap In

Click on Certificates and click on Add >

Select Computer account

Select Local Computer, the click Finish

Click OK to exit the Snap-In window.

Then, you can import the CA certificate into the Root Certificate Stores.

There are two Root Certificate Stores in Windows systems, Trusted Root Certification Authorities and Third Party Root Certificate Authorities. Usually, you would import a CA certificate into the Trusted Root Certification Authorities.

Expand Trust Root Certification Authorities

Right Click Certificates.

Select All Tasks > Import

In the Certificate Import Wizard click Next


Click Browse


Select the CA certificate file to be imported

Click Open

Click Next

Click Next

Click Finish

Disable Revocation Check

Furthermore, you need to disable the revocation check on the self-signed claim provider certificate.

On the ADFS server, execute the following commands in the Windows Powershell console:

Add-PSSnapin Microsoft.Adfs.Powershell
Set-ADFSClaimsProviderTrust -TargetName "Claims_Provider_Name" -SigningCertificateRevocationCheck None


Similarly, if you are using a self-signed certificate for your relying party application, then you have to import the self-signed CA certificate into the local computer certificate store as a root trusted CA on your ADFS server. Then, execute the following commands on the Windows Powershell console to disable the revocation check on the self-signed relying party certificate :

Add-PSSnapin Microsoft.Adfs.Powershell
Set-ADFSRelyingPartyTrust  -targetname "Relying_Party_Name" -EncryptionCertificateRevocationCheck None

 

  • No labels