Custom X.509 Certificate Management

ICertificateManager Interface
Both local and partner X.509 certificates may be specified by configuration. In most cases, this is the preferred method.
However, if required, certificates may be managed programmatically through the ICertificateManager interface.

public interface ICertificateManager {
X509Certificate2 LocalIdentityProviderCertificate { get; }

X509Certificate2 LocalServiceProviderCertificate { get; }

X509Certificate2 GetPartnerCertificate(string partnerProviderName);

The ICertificateManager interface permits retrieval of X.509 certificates required as part of the single sign-on process.
The LocalIdentityProviderCertificate property returns the local identity provider certificate.
The LocalServiceProviderCertificate property returns the local service provider certificate.
The GetPartnerCertificate returns the partner identity provider or service provider certificate as specified by the partner provider’s name.

A default implementation, CertificateManager, is included which supports X.509 certificates specified by configuration.

Custom ICertificateManager
If required, a custom ICertificateManager may be implemented.
The abstract class, AbstractCertificateManager, provides common functionality for managing X.509 certificates.
The following example code outlines a custom certificate manager which retrieves certificates that are stored in a database.

class CustomCertificateManager : AbstractCertificateManager {
public CustomCertificateManager() {
// Retrieve the local certificate raw data
// and password from a database.
// Implementation not shown.
byte[] rawData = null;
string password = null;

// Save the local provider certificate.
LocalIdentityProviderCertificate = new X509Certificate2(
rawData, password, X509KeyStorageFlags.MachineKeySet);

// Retrieve the partner providers' certificate raw data
// from a database.
// Implementation not shown.
IDictionary partnerProviderRawData = null;

// Save the partner providers' certificates.
foreach (string partnerProviderName in
partnerProviderRawData.Keys) {
new X509Certificate2(
(string)null, X509KeyStorageFlags.MachineKeySet));

The following code assume a CustomCertificateManager class has been implemented and configures this as the certificate manager.

SAMLConfiguration.Current.CertificateManager = new CustomCertificateManager();