Today my Office 365 ADFS sign in process was broken. Skype for Business (running from Office 365) wouldn’t sign in, and when I tried to sign in to portal.office.com I ended up at a page saying:
Sign In Sorry, but we're having trouble signing you in. We received a bad request. Additional technical information: Correlation ID: (some GUID) Timestanp: (now) AADSTS50008: Unable to verify token signature. The signing key identifier does not match any valid registered keys.
Worked fine yesterday. I’d not touched anything.
ADFS itself was working fine, I could sign in via https://adfs.rcmtech.co.uk/adfs/ls/idpinitiatedsignon.htm
The Web Application Proxy Servers looked fine too.
I checked the AD FS management console, and noticed under Service – Certificates that the Token-decrypting and Token-signing certificates all had today as their Effective Date.
The fix was to fire up PowerShell and use
Connect-MsolService -Credential (Get-Credential) Set-MsolADFSContext -Computer adfsserver01.rcmtech.co.uk Update-MsolFederatedDomain -DomainName rcmtech.co.uk
where the credentials are those of my rcmtechcouk.onmicrosoft.com global admin account, and adfsserver01.rcmtech.co.uk is the name of one of my internal ADFS servers.
That updates the certificate details that Office 365 (Azure AD) has so that they match the certificate used by ADFS.
Update: If you get the following error from the Microsoft Remote Connectivity Analyser Office 365 Single Sign-On Test:
The Integrated Windows authentication endpoint is missing on the internal metadata document.
The above will also fix that too. Note that you need to wait a little while before the updated details start to be used.