Hi
After 6 months successful integrate SAML componentspace SSO with Office 365 recently our production SSO is not working and a result when debugging using Microsoft Connectivity Analyzer is below:
Some issues were found while submitting the token to Azure Active Directory.
Additional Details : The token failed signature validation when it was submitted to Azure Active Directory. The endpoint returned following error code : 80041317
Was the certificate change or has the certificate expired?
Which certificate? Domain certificate which is binding to IIS server or you mean idp.cer which is saved in local directory
I assume the SAML assertion (ie the token) is being signed and Office 365 can no longer verify the signature. This is the idp.cer not the SSL certificate configured in IIS.
Do I need to regenerate new idp.cer and configure back Set-MsolDomainAuthentication? I try to use idp.cer created by componentspace in our testing SSO which is also running without problem before this, but now I’m facing the same issue like in production
I suggest running:
Get-MsolDomainFederationSettings -DomainName
This will list the configuration including the SigningCertificate.
Make sure that you are using the corresponding private key for signature generation at your IdP site.
Also, double check that this certificate hasn’t expired.
You can configure for federated SAML SSO in Office 365 using Set-MsolDomainAuthentication.
Alternatively, you can update your configuration using Set-MsolDomainFederationSettings.