How to update MetadataExchangeURI for Federated domains using SAMLP Protocol

  • Article

 

Recently I ran into an issue with a customer attempting to update their MetadataExchangeURI for their Federation settings, however when running the necessary cmdlets they noticed the MetadataExchangeURI would not update. As a result this was preventing the admin from completing the setup for federating their domain. You may run into this issue if you are trying to federate your domain using a third-party IDP for federation such as PingFederate, Okta, Centrify, Shibboleth, etc.

We did some testing today, and we found that we had to set the domain back to managed in order to get the MetadataExchangeURI to update. The cause appears to be that even though the MetadataExchangeURI is updated in Microsoft’s MSODS system, it still returns the old value in Microsoft's OrgID system. OrgID does not successfully update the value because when the protocol is set to SAMLP, no updates to the MetadataExchangeURI are allowed. OrgID is a legacy authentication platform first used with live accounts. It is no longer servicing authentication but has not yet been completely decoupled from AAD.  As a result this type of inconsistency between the two services will cause issues. Thus we ran some additional test, and subsequently found a workaround to update the MetadataExchangeURI as WSFed, then change the domain to managed, and federate again with the correct values using SAMLP.

Steps to resolve are as follows:

 

First, Set your values to what you want it to be using a variable.

$domainName = "Davengers.us"

$BrandName = "ADFS"

$browserSSOLoginURL = "https://adfs.davengers.us/adfs/services/trust/2005/usernamemixed"

$logoutURL = "https://adfs.davengers.us/adfs/ls/"

$issuerProviderID = "<davengers.us/adfs/services/trust/>"

$idpSigningCert = "[insert cert info]"

$MetadataURL = "https://newvalue/adfs/services/trust/mex"

$ssoProtocol = "SAMLP"

 

Steps to resolve are as follows:

  1. Open Windows Azure Active Directory PowerShell and connect to the MSOL service.
    1. Connect-msolservice
  2. Confirm if the domain is currently set to managed or federated.
    1. Get-MsolDomain
  3. Set the domain back to managed.
    1. Set-MsolDomainAuthentication -DomainName $domainame -Authentication Managed
  4. Federate the domain as WSFed, with the correct URL’s.
    1. Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $idpSigningCert -IssuerUri $issuerProviderID -LogOffUri $logoutURL -PreferredAuthenticationProtocol WSFed -MetadataExchangeUri $MetadataURL
  5. Set the domain back to managed. There may be a 1-2 minute replication if you get an error.
    1. Set-MsolDomainAuthentication -DomainName $domainName -Authentication Managed
  6. Federate the domain as SAMLP with all the correct URL’s.
    1. Set-MsolDomainAuthentication -DomainName $domainName -FederationBrandName $BrandName -Authentication Federated -PassiveLogOnUri $browserSSOLoginURL -SigningCertificate $idpSigningCert -IssuerUri $issuerProviderID -LogOffUri $logoutURL -PreferredAuthenticationProtocol SAMLP -MetadataExchangeUri $MetadataURL
  7. View the results and confirm everything is set as expected.
    1. Get-MsolDomainFederationSettings -domainName $domainName | FL

 

Thanks to Dragos C. and John K. For assistance in writing and editing the article.