I’m building an IdentityProvider solution that will be used for multiple clients. I think I’ve got the code set up correctly and want to start testing with our partner, but I’m unclear what I need to do, if anything, with certificates. I’ve read the Certificate Guide multiple times but still have questions.
-The login page is already protected by TLS, our whole site is encrypted, so that’s out of the equation.
-Do I need to do anything particular to encrypt the SAML assertions, or do the InitiateSSO() and SendSSO() methods handle that automatically?
-I got the metadata from our initial partner and imported one of the two signing certificates in it into our Windows Certificate store. I don’t really understand what this is for, but if I put the thumbprint for that certificate in the PartnerCertificateThumbprint value for that PartnerServiceProvider (in the saml.config file), is that good enough? Is there anything else I need to do with this information?
-Related: our partners’ metadata had two signing keys and an encryption key. How do I know which one to use?
-Likewise, I created a self-signed certificate and put the thumbprint from that in the LocalCertificateThumbprint field in the IdentityProvider section of the saml.config field. Do I need to do anything else?
-What do I have to give our partner to make the SAML connection work? Anything?
I’ve never worked with certificates or cryptography of any kind, so please word your response as if you were talking to a complete dummy on this topic. Because you are.
Thanks in advance.
Either the SAML response or SAML assertion sent to the partner SP should be signed.
This is done using your private key specified in the section of saml.config.
For example, you might specify your PFX file using LocalCertificateFile/LocalCertificatePassword.
The SAML assertion may be encrypted although this isn’t commonly done.
If required, it’s encrypted using the SP’s public key that’s specified in the section.
You should check with the SP if they want the assertion encrypted.
Sometimes people confuse signing with encryption and say they want the assertion encrypted when what they really mean is they want the assertion signed.
The signing certificate in the SP’s metadata is used to verify signatures on messages sent by the SP.
The encryption certificate in the SP’s metadata is used to encrypt the SAML assertion.
The LocalCertificateThumbprint identifies the certificate in the Windows certificate store that will be used to sign SAML responses or assertions.
Make sure that you set the permissions for the private key to allow your application access.
If you don’t you’ll get a permissions error.
This is described in our Certificate Guide.
You will need to supply the SP with your public key (either in your metadata or as a .CER file) so they can verify the signatures you generate.
Our partner is reporting that his system is “looking for a signature in the response assertion.” I’m interpreting that to read that their system doesn’t see our assertion as signed. I’ve included our key in our saml.config file/metadata. Is anything else required to sign the assertion? I was assuming that the SendSSO() method did this for me.
Figured this out. I needed to set SignSAMLResponse to true in my saml.config file.
I’m glad you worked it out and thanks for the update.