configure Identity Provider


Take the example you provided for High Level Api WebForms, and I configure the saml.config to use the Identity provider of my organization:

<PartnerIdentityProvider Name = “RyderSSO”
Description = “Example Identity Provider”
SignAuthnRequest = “true”
WantSAMLResponseSigned = “true”
WantAssertionSigned = “false”
WantAssertionEncrypted = “false”
SingleSignOnServiceUrl = “<a href=“””>"
SingleLogoutServiceUrl = “<a href=“””>"
PartnerCertificateFile = “Certificates \ samlqapub.cer” />

And I think that the service provider I set for this example is this:

<ServiceProvider Name = “RyderSSO”
Description = “Example Service Provider”
AssertionConsumerServiceUrl = “http: //localhost/ExampleServiceProvider/SAML/AssertionConsumerService.aspx
LocalCertificateFile = “Certificates \ sp.pfx”
LocalCertificatePassword = “password” />

From that I get redirect to the SSO of my organization and once I login they give me an error:

HTTP Status 403 - Request Forbidden. Transaction ID: 25f74535-9e125b40-63326a2b-a1c8af2f-fd7607a8-aa failed.

Then I change the certificate for:

LocalCertificateFile = “Certificates \ samlqapub.cer”
LocalCertificatePassword = “password” />

But before I redirect to the SSO, I get this error:

The X.509 certificate with subject name … does not have a private key

I am new with this SAML standard, Anyone can help me setup the saml.config correctly with my configuration.

The Info that was provided from my company are:

2-https: //

Best Regards,

The local certificate must always include a private key. In the case of a LocalCertificateFile this must be a .PFX rather than .CER file.
The local certificate’s private key is used to generate XML signatures.
In the case of a service provider with SignAuthnRequest set to true for a particular partner identity provider, the authn request is signed using the local certificate’s private key.
From your configuration, it looks like the partner identity provider’s certificate file is samlqapub.cer and you’ve correctly specified this as the PartnerCertificateFile.
Your original configuration where you specified sp.pfx as the LocalCertificateFile should work. The identity provider will need the corresponding sp.cer to verify the authn request signature.
Alternatively, if the identity provider doesn’t require the authn request to be signed, you can set SignAuthnRequest to false and not specify a LocalCertificateFile.
I’m not sure why you got a 403 error. You might have to check the identity provider logs for more details.