Office365 SSO fails after upgrading CloudAccess signing certificate

  • 7018499
  • 19-Jan-2017
  • 19-Jan-2017


NetIQ Cloud Access 3.0
NetIQ Cloud Access 2.3


Customer is using CloudAccess (3.0) primarily for federation with Office 365.  Their cert used on the NCA is expiring.  Doc indicate that updating/replacing signing or connector certs should automatically update the SAML/WS-Fed SPs with the new signing cert, if they are part of provisioning setup ie. there's no need to update Office 365 configuration.

After upgrading the signing certificate, users could no longer SSO to Off365 - they would get errors from Off365 that token was invalid.


Manually force an update to the settings of the single sign-on domain using 'Set-MsolDomainFederationSettings'. In our case, our federated domain in Off365 was, and our CloudAccess box was

Set-MsolDomainFederationSettings -DomainName –IssuerUri