PBCS Quick Tip – ADFS Federation and Signing Certificate issue

 I wanted to write about this one when I first saw it happening. Let’s say that I was on a 7 hour call to figure out what was going on. Hope you can save some time 😉


Now as you know, (if you don’t please check my post on the same) PBCS support Single Sign On. I’ve done this at multiple places and this 7 hour call was at one of my clients.


Before I go ahead and describe what happened here is what you should read Understanding Certificates Used by AD FS. Now that you read it, you might have seen a section where it talks about signing-certificate.


For simplicity purpose think about it as an ID card issued by your company. When you pass through a door you just flash the ID card and off you go. That is the same way it works in PBCS. Now think for a moment that you just had two different ID cards and you tried to swipe both of them together. I’ve done that once and I know what happened afterwards 🙂


 This is currently a limitation in PBCS. It does not support two signing certificate (at-least for now). What happens if you’ve two signing certificates, well you get this error message.
Yeah it doesn’t say anything about certificates isn’t it? 😉 Multiple signing certificates is a common thing, why is it a common thing you might ask. Let me explain it this way – What happens if one certificate is going to expire, you (as an ADFS admin) are going to add a secondary certificate which has a better expiry date.


Boom that’s an issue, you got two signing certs now. However there is an easy (was not so easy for me) fix to the problem.


If you look at the metadata xml file of your ADFS installation, you’ll see something similar.
There you  go two certs. Now you need to find out which one to keep. I used CSR Decoder and Certificate Decoder to decode the cert. You’ll see something similar once the decoding is done.
Keep the one that is valid longer and remove the rest from the XML file. It should look something similar
There are many instance of signing certs in the XML file, all you’ve to do is to keep searching for <KeyDescriptor use=”signing”> and keep removing the certificate which is going to expire soon


Upload the updated metadata.xml file to PBCS and you should be good to go.


There was also a client who was using Microsoft Azure with PBCS and they had a strange issue.


 Their signing certificates were added by Microsoft and what was happening was if you remove one signing cert from the XML only a groups of users can login (the other set cannot), if you make the other one active the other set can login. They had to keep switching the XML file till Microsoft fixed the issue for them. (I guess they had to wait for 24hrs for both user sets to start using the same signing certificate.


Hope it helps you.

About Celvin Kattookaran

I’m an EPM Consultant, my primary focus is on Hyperion Planning and Essbase. Some of you from Hyperion Support team might recognize me or have seen my support articles, I was with the WebAnalysis Support Team. I'm an Independent Consultant with “Intekgrate Corporation” based out of Aurora office. I’m from God’s Own Country (Kerala, India), lived in all southern states of India, Istanbul and Johannesburg (and of course United States). I’m core gamer :) and an avid reader. I was awarded Oracle ACE Director for my contributions towards EPM community.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.