In the ADFS identity provider part of the example saml.config file the values are set as follows:-
<PartnerIdentityProvider Name=“<a href=“http://adfs.test/adfs/services/trust” “>http://adfs.test/adfs/services/trust”
SignAuthnRequest=“true”
WantSAMLResponseSigned=“false”
WantAssertionSigned=“true”
WantAssertionEncrypted=“true”
UseEmbeddedCertificate=“true”
ClockSkew=“00:03:00”
SingleSignOnServiceUrl=”“>https://adfs.test/adfs/ls/”/>
So as I understand it; instead of specifying the Certificate used to verify the identity provider we are using the embedded certificate. Am I correct in thinking that this means that the saml message from the idp also contains the public key we are to use to validate the assertions? If so, what stops anyone sending us a message with their own public key in?
(For the moment I have the code working with the idp’s signing certificate specified in the saml.config file.)
Hopefully that question makes some sense!
thanks
David
Hi David
An embedded certificate is ok but you would need to double check its subject DN, issuer, validity etc.
The safest and simplest option is to not use the embedded certificate but instead specify the certificate file to use.
We don’t recommend setting UseEmbeddedCertificate to true in a production environment but it can be useful in a test environment.
thank you for your prompt reply.
regards
David