Introduction:
BrightIdea is an online cloud based application which helps in collecting idea from employees for a specific campaign created by the company. If you are new to BrightIdea and wanted to know more about this product please visit to http://www.brightidea.com/
BrightIdea supports SAML based SSO. So I have configured BrightIdea SSO with our ADFS infrastructure. The token sign in certificate validity was set to default 365 days. Even though the third-party certificate that we procured from external CA like VeriSign is valid for 2 or 3 years, token sign-in certificate will expire in 365 days.
PS: We can extend the expiration of token sign-in certificate in ADFS using PowerShell command. But in this scenario we have the token sign-in certificate which is going to expire in 365 days. Which means this certificate is going to expire in few days so I tried to change the certificate in BrightIdea
Issue:
I exported the newly created token sign-in certificate public key by following the steps mentioned in this article
https://technet.microsoft.com/en-us/library/cc737522(v=ws.10).aspx
After exporting the certificate, I logged in to Bright Idea portal. Under authentication tab and navigated to SAML profile, need to expand the SSO settings. Removed the old public key certificate and uploaded the new certificate which I exported from ADFS server
After this, just restarted the ADFS service (which may not require) but did iton a safer side. Checked the SSO url but got the error message “So sorry – your request could not be processed”. I reverted the change by uploading the old certificate to see if that works but ended up with the same error.
Cause:
Clearly it seems that something is not correct in the process that I followed. I need to dig deeper in this issue by analyzing the event id in ADFS and logs from BrightIdea. When I checked the BrightIdea I can see the transaction is failed with the error “Create Authentication Request: Identity Provider Data Error: Could not find encoded certificate in file”.
When I checked the Bright Idea portal help, able to find a clue that the certificate is not in the readable format by the portal. BrightIdea is looking for this certificate in a plain text format. But there is no option to update the certificate in the txt format.
Resolution:
After breaking my head in analyzing the logs and uploading the certificate in a different format, finally I cracked the way to make it work. You will not believe this simple solution. Trust me!!! Because the method I was following in updating the certificate is pretty common for all cloud based applications (workday, CA Clarity, WebEx) that we will follow the same method to update the token sign-in certificate. But the Bright Idea is not really liking the way we used to do. The way I resolved is
- Set the newly generated token sign in certificate and decryption certificate in ADFS server as primary
- Restarted the ADFS service
- Exported the metadata from ADFS server
- Uploaded in BrightIdea and made sure the new certificate is updated with the metadata
- Ensured the certificate sign in authentication type is RSA_SHA1 as we have the same type in ADFS.
Refreshed the browser and voila!!! it started working fine 🙂 so this metadata file saved my few more troubleshooting hours. Let me know if you have any other interesting steps to resolve this issue through comments and please don’t say that we can turn off the cert based authentication.. LOL 🙂 Have a great day ahead!!
Leave a Reply