AD FS SAML Application being passed "test" ForgeRock certificates

Hello -

I am posting here because our vendor (who uses ForgeRock for SAML certificate) is not able to provide support on the following issue.

They have a SAML connection to an on-prem AD FS server. Up until yesterday the SAML connection was working correctly. We have a scheduled pull from their federation data every 7 days, our AD FS server ran its scheduled update from our vendors federated data at 12:03PM.

At exactly 12:03PM is the last time anyone was able to sign in to the application provider. SAML connection no longer works.

Upon further investigation and testing, our AD FS server is now pulling an encryption certificate with the issuer listed as “CN=Test,OU=AM,O=ForgeRock,L=Bristol,S=Bristol,C=UK”.

This is not what the certificate issuer used to look like prior to the latest metadata update. The vendor insists that they made no changes, and I know for certain that we made no changes to our AD FS server.

I would be less confused if it was pulling some garbled certificate, but it is pulling a “test” certificate from ForgeRock.

What could the potential reason be for us pulling a “test” certificate from ForgeRock through our application provider…?

Hi @tsheldon - if I am understanding you correctly, it sounds like your vendor has updated their encryption certificate to use one of the test certificates that ship with ForgeRock Access Management, specifically the certificate with an alias of test.

What could the reason be? Hard to say, but it certainly sounds like the vendor has updated their configuration.

1 Like