How to Update the ADFS Token-Signing Certificate
Lawson SSO issue
We are having an issue with ADFS SSO login with Lawson and I need someone to pull the updated metadata.
ADFS auto creates a new ‘secondary’ decrypt and signing cert 20 days prior to expiration so on 8/31-ish It then promotes the secondary to primary 5 days later so that would have been today.
Update the ADFS Token-Signing Certificate
When the ADFS Token-Signing certificate is updated on the ADFS server, it will have to be imported to Lawson and Infor OS.
Someone with admin rights on the ADFS instance will need to export the certificate and provide you with the “.cer” file before these tasks can be completed.
Update the Certificate in Lawson
Log onto the Lawson Server
Start a ssoconfig -c session
Export Services
- Select Manage Lawson services
- Select Export Services and Identity Info
- Choose yes, for all services, None for identities and give it a file name
Check the file for the Service ID name and make a note of it
In this case, LSF_ADFS is the service name.
Go to “Manage WS Federation Settings” > “Manage Certificates”
Select “Delete WS Federation Certificate”
Select “Create certificate for “WS Federation”
Select “Delete IdP certificate”
Enter the service name of your ADFS service
Select “Import IdP Certificate”
Enter the service name of your ADFS service
Provide the full path where you have the token-signing certificate saved
Verify External Portal work (goes through ADFS)
Update the Certificate in Infor OS
Log into the Infor OS server as the LAWSON user
go to STSAdminUI
Click on idP Connections
click on Edit
Scroll down and you will see that the signing cert has changed
Go back to the top and click on the world
Enter the URL that Admin provided and click on OK
Click on save
Now test your connections
