Hi,
I am beginning to investigate the development of an SSO solution, I would be building the Identity Provider part of the solution.
I am looking at the MVCExampleIdentityProvider visual studio solution.
I am confused by what certificates I need and how they are obtained.
I have an SSL cert for the website (lets call it example.com) which will act as the IdP, which the documentation says we can use.
And I see it seems to be possible to get it from the certificate store, so I think I can work that out later.
I wish to connect to these 2 partners which already support SAML SSO. (and another later when they have SAML support)
http://support.aha.io/hc/en-us/articles/204068485-Single-sign-on-SAML-2-0
https://support.freshdesk.com/support/solutions/articles/186796-single-sign-on-for-freshdesk-using-saml
How do I obtain the “sp.cer” from?/for? these partners? neither 3rd party documentation page mentions how I would get this? do I download it from each provider and save it in my Certificates folder? if they use thier SSL cert (I don’t know if they do, can I export this from their website cert by “navigating to example.provider.com in chrome”> view cert > details > copy to file > base64 encoded ?
How do I provide these partners with a “idp.cer” file (Aha says I can provide this at a metadata URL, but I the MVCExampleIdentityProvider does not have an action method for this in it’s controller, does the ExportMetadata example generate something in the correct format for doing this? )
Alternatively manual settings asks for a fingerprint… If using my website cert, is this what I would get if I exported the cert from “navigating to example.com in chrome” > view cert > details > thumbprint
Freshdesk requires me to manually upload a SHA-1 certificate, again where would I get this from? If using my website cert, is this what I would get if I exported the cert from “navigating to example.com in chrome”> view cert > details > copy to file > base64 encoded ?
Hi Murray
Just to confirm, the existing SSL certificate for HTTPS also may be used for XML signatures. This certificate includes the private key which is used for signature generation.
You can use the Microsoft Management Console (MMC) Certificates snap-in to export the certificate and private key as a PFX file or the certificate and public key as a CER file from the Windows certificate store.
Our configuration supports either retrieving the certificate from the certificate store or the file system.
More information may be found at X.509 Certificate Management.
As the identity provider you will either sign the SAML response or SAML assertion.
The service provider will need your public key so they can verify the signature.
This can be supplied as a CER file or as part of your SAML metadata.
We include SAML metadata template files or you can use the ExportMetadata utility to generate your metadata which will include your base-64 encoded certificate.
More information may be found at SAML Metadata Generation and Consumption.
You may or may not need a certificate from the service provider.
This is only required if you are supporting SP-initiated SSO and the service provider signs the authn request, or you are supporting single logout and logout messages are signed, or the SAML assertion is to be encrypted. In many cases none of these apply and therefore no certificate is required from the service provider.
If there is a service provider certificate they should supply it to you as a CER file or as part of their SAML metadata.
For these specific service providers it sounds like there’s no associated certificate.
You’re welcome to email our support email address with your SAML metadata generated by ExportMetadata and we’re can check it for you and answer any specific questions you might have.
We have a number of customers successfully inter-operating with Freshdesk. I took a quick look at the Aha link you sent and it looks like it should be fairly straightforward.
If you run into any issues, you’re welcome to enable SAML trace and send the log file to our support email address.
Enabing SAML Trace