ADFS error AADSTS50008: SAML token is invalid.

Recently i got this error, AADSTS50008: SAML token is invalid. when signing in to office 365.

When i logged in to AD FS Management console i realised that the token signing certificate was renewed and the old certificate was demoted as the secondary certificate

Various blog post stated that i should run

[code language=”powershell”] Update-MsolFederatedDomain -DomainName [/code]


[code language=”powershell”] Update-MsolFederatedDomain -SupportMultipleDomain -DomainName [/code]

I ran the first one because I haven’t found latter  (And i was aware of it was multipledomain environment), and suddenly office 365 sign in tried to reach and old turned off federation server. (It might have been this first line that made this happend)

i figuered out how to fix this by running

[code language=”powershell”] Set-MsolDomainFederationSettings -DomainName -FederationBrandName "FedDomain Federation Service" -LogOffUri -PassiveLogOnUri
-ActiveLogOnUri -IssuerUri -MetadataExchangeUri [/code]

but still no luck. Users couldn’t sign in

I tried to run

[code language=”powershell”] Update-MsolFederatedDomain -SupportMultipleDomain -DomainName [/code]

others also posted that it could be due to timesync errors and suggested to run w32tm /syncnow. Neither helped and i was about to start all over when i suddenly found the right solution.

I had to run a small powershell code before update-msoldomain.;

[code language=”powershell”] Set-MsolADFSContext -Computer fed [/code]

replace fed with the netbios name of your primary adfs-server.

after that i could use this;

[code language=”powershell”] Update-MsolFederatedDomain -SupportMultipleDomain -DomainName[/code]

and the certificate was updated in office 365.

and the code to verify the setup;

[code language=”powershell”] Get-MsolFederationProperty -DomainName[/code]

Was this site helpful? 1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)