Skip to main content


AD FS makes use of a number of different certificates to perform single sign-on. These are the certificates that HMP's supported sign-in protocols might interact with:

Token signing certificate

AD FS signs tokens and HMP uses this signature to verify that the token comes from AD FS.

Windows Server IIS certificate

Secures SSO sign-in requests from the browser and OAuth2 token requests from HMP. This certificate must be valid for OAuth2, or else token requests will fail due to HMP being unable to verify the certificate.

Relying Party Trust Encryption certificate

AD FS encrypts messages using the certificate and then HMP is expected to decrypt using the certificate's private key. This certificate isn't used for OAuth2. It's currently supported for SAML2, but not WS-Fed. This certificate can be self-signed and does not have to be the same as the IIS certificate.

HMP SSL certificate

POST requests made by the browser to /sso/callback after authentication for WS-Fed/SAML will use this certificate.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.