Live@edu Single Sign-On (SSO) Toolkit certificate renewal instructions

INTRODUCTION
This article describes the procedure to renew the certificate for the Live@edu SSO Toolkit. It contains the steps that organization admins have to perform to renew the SSO Toolkit certificate.
Note Support for the SSO Toolkit 4.5 is coming to an end. Released in April 2013, the SSO Toolkit was originally supported through December 2014 to give Live@edu institutions time to transition to a supported SSO solution on Office 365. Last year, the end date was extended to December 31, 2015. After December 31, 2015, certificates are no longer generated for the SSO Toolkit.  

Although we're ending support, we will continue to keep the SSO proxy service running until your current certificate expires. Before the expiration of your SSO certificate, you must implement a supported Office 365 SSO solution for your domain.

See DirSync with Single Sign-On to learn more about how to move to Active Directory Federation Services (AD FS) or other supported Office 365 SSO solutions.
PROCEDURE

Step 1: Request a new certificate from Support

  1. Contact Support to obtain the new certificate for your domain. Specify your site ID and all the domains that have to be renewed.
  2. Support will provide you with a private key file (.pfx ) and password for the private key.

Step 2: Install the certificate .pfx file on the SSO Toolkit server

  1. Log on to the server where the SSO Toolkit is installed by using an administrator account.
  2. Copy the .pfx file to the SSO Toolkit server.
  3. Import the certificate by using one of the following methods.

    Important When you import the certificate, make sure that the certificate is installed to LOCAL_MACHINE\MY store and that you allow the certificate to be exported.
    • Method 1: Use Internet Information Services (IIS) Manager to install the certificate (preferred)
      1. In IIS Manager, select the server, and then click Server Certificates.
      2. Right-click the Certificates window, and then click Import.
      3. Specify the path to the .pfx file and the password, specify Personal for the certificate store, and then select the Allow certificate to be exported check box (if it isn't already selected).
      For more information about how to use IIS Manager to import a certificate, go to Import an SSL Certificate Using Internet Information Services (IIS) Manager.
    • Method 2: Use the Microsoft Management Console to install the certificate

      Use the steps in the following article to import the .pfx file:Make sure that you import to local machine\personal store and make sure that you select the Mark the key as exportable... option when you import the certificate.
    • Method 3: Use the Windows HTTP Services Certificate Configuration Tool (WinHttpCertCfg.exe) tool to install the certificate
      1. Download the WinHttpCertCfg.exe tool to the local computer from the following website:
      2. Use the following commands to install the certificate:
        winhttpcertcfg.exe -i <PFX path> -c LOCAL_MACHINE\My -p <PFX password> -a <Account>
        winhttpcertcfg.exe -i “C:\Users\Administrator\Desktop\cert.pfx” -c LOCAL_MACHINE\My -p “<password>” -a Administrators
  4. Grant access to the network service (or the IIS application pool identity). To do this, follow these steps:
    1. Download the WinHttpCertCfg.exe tool to the local computer from the following website:
    2. Find the IIS application pool identity of the SSO Toolkit website. To do this, in IIS Manager, click Application Pools, and then select the application pool for the SSO Toolkit website.
    3. Run the following commands to grant access to the certificate for the application pool identity:

      Note In this example, SSO Toolkit website application pool is running under the Network Service account.
      winhttpcertcfg.exe -s "<subject string>” -c LOCAL_MACHINE\My -g -a "<IIS app pool identity>"
      winhttpcertcfg.exe -s "contoso.sapipartner.com" -c LOCAL_MACHINE\My -g -a "Network Service"

Step 3: Update the Web.config file on the SSO Toolkit server

The Web.config file of the SSO Toolkit website contains the thumbprint of the certificate that's used to get the token from SSO Proxy service. Here's an example entry in the Web.config file:
<!-- SSO Certificate Thumbprint pulled from MMC (see directions in SSO Docs) --><add key="certThumb" value="15 7e 2a 3b 94 83 d8 28 7f b9 81 b3 c1 88 53 8c b9 55 f0 8c"/>
To update the Web.config file, follow these steps:
  1. Locate the Web.config file. To do this in IIS Manager, click Sites, select the website, click Content view, right-click the Files window, and then click Explore.
  2. In the Microsoft Management Console, find the thumbprint of the new certificate.
  3. Copy the thumbprint of the new certificate from the Microsoft Management Console (MMC).
  4. Examine the thumbprint for extra characters, hidden characters, or spaces.

    To check for hidden characters, follow these steps:
    1. Copy the thumbprint from the MMC.
    2. Open WordPad or a command prompt, and then paste the thumbprint that you copied.

      For example, at the command prompt, the output should resemble the following:
      C:\Users\ >?15 7e 2a 3b 94 83 d8 28 7f b9 81 b3 c1 88 53 8c b9 55 f0 8c
  5. Copy the thumbprint without including the "?" character.
  6. Update the Web.config file by adding the new value.

Step 4: Verify the Web.config file on the SSO Toolkit server

The Web.config file of the SSO Toolkit website contains the Outlook Live redirection URL attribute, redirectURL, under configuration/appSettings. Make sure that the value of the redirectURL attribute is set to the following, where SSODomainName is the name of the SSO domain:
https://www.outlook.com/SSODomainName
Here’s an example entry in the Web.config file:
<add key="redirectURL" value="https://www.outlook.com/contoso.edu" />
Note You may already have the correct value set for the redirectURL attribute. Double-check to confirm.

To update the Web.config file, follow these steps:
  1. Locate the Web.config file. To do this in IIS Manager, click Sites, select the website, click Content view, right-click the Files window, and then click Explore.
  2. In the Microsoft Management Console, find the thumbprint of the new certificate.
  3. Update the Web.config file with the new value. Make sure that there are no extra characters.
  4. Restart IIS.

Step 5: Verify SSO Toolkit functionality

Now that you've completed the steps to switch to the new certificate, test the changes for the SSO Toolkit. To do this, log on to a test account in each domain.
MORE INFORMATION
Still need help? Go to the Office 365 Community website.
מאפיינים:

מזהה פריט: 3057293 - סקירה אחרונה: 02/24/2016 19:16:00 - תיקון: 11.0

Microsoft Office 365

  • o365 o365e o365m o365022013 o365a KB3057293
משוב