Hi everyone,
For those using SSO OAuth with Entra, how are you managing the "OAuth Server Certificate" that you import from Microsoft?
We initially imported the certificate through the Configuration Editor from the server, which worked fine. However, over the past week, we have had to manually add two additional certificates and their intermediate certificates to the PWM configuration. This was necessary because we encountered repeated ERROR_CERTIFICATE_ERROR messages like the one below which were preventing our users from logging in:
2025-03-25T13:03:06Z, ERROR, oauth.OAuthConsumerServlet, {JkSY1} unexpected error communicating with oauth server: 5071 ERROR_OAUTH_ERROR (error during oauth code resolver http request to oauth server, remote error: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: 5059 ERROR_CERTIFICATE_ERROR (server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not signed by configured ROOT CA certificate(s): server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not trusted by ROOT CA subject=CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US, serial=3261708894152296593076398650851921056 server certificate subject=CN=stamp2.login.microsoftonline.com, O=Microsoft Corporation, L=Redmond, ST=WA, C=US, serial=1137474497244329776268310819623939433294798145 is not trusted by ROOT CA subject=CN=Microsoft Azure RSA TLS Issuing CA 03, O=Microsoft Corporation, C=US, serial=6777998955659694689652228948589800396 )))Notably, the latest certificate that caused the issue was created this morning at 5:32 AM EDT.
My question is: Is there a way to configure PWM to automatically download and validate intermediate certificates along with the primary one from Microsoft? This would prevent us from having to monitor logs and manually update the "OAuth Server Certificate" every time Microsoft changes certificates. Or is there a setting in the Entra configuration that will force Microsoft to serve up the same certificate every time?
Any insights or suggestions would be greatly appreciated!
Thanks!