Howto: Re-Initialize O365 After Certificate Change

Howto

How to re-initialize the Office365 connection after your have re-newed your UCS SSO/SAML certificates.

Environment

You might see an error message when trying to login to O365:
Unable to verify token signature. The signing key identifier does not match any valid registered keys

The new certificates are located at /etc/simplesamlphp/and are called ucs-sso.<DOMAIN-NAME>-idp-certificate.crt and ucs-sso.<DOMAIN-NAME>-idp-certificate.key which are copied from /etc/univention/ssl/<FQDN-HOSTNAME>/ (cert.pem and private.key).

Step 1

Update internal structures following this article.

Step 2

Re-execute related join script:
univention-run-join-scripts --force --run-scripts 92univention-management-console-web-server.inst

Step 3

Start the generation of the PowerShell script for Windows.
/usr/sbin/generate_office365_saml_powershell_script defaultADconnection

Step 4

Copy the generated script (usually at /var/lib/univention-office365/saml_setup_defaultADconnection.bat) to a Windows machine and run it to re-register your keys.
Note: You will need the Azure AD admin credentials for this step!
Note 2: If you cannot execute the script and get warnings, make sure that the MSOnline module is installed. You can install them on the Powershell with:

Install-Module -Name MSOnline

Then proceed with the execution of the .bat script.

Afterwards login should succeed again.
For further issues also consider this article

Mastodon