How to configure 2 certificates for Partner Identity Provider

dmtuan · January 11, 2019, 7:00am

Hello,
I was wondering if anyone could point me in the right direction.

I am working on an ASP.NET project which I am rewriting from an ASP.NET Core project where I have a Service Provider initiated SSO login with following configuration:

“Configurations”: [
{
“LocalServiceProviderConfiguration”: {
“Name”: “myApp”,
“Description”: “myApp”,
“AssertionConsumerServiceUrl”: “<some_url>”,
“SingleLogoutServiceUrl”: “<some_url>”,
“LocalCertificates”: [
{
“StoreLocation”: “LocalMachine”,
“StoreName”: “My”,
“Thumbprint”: “<some_thumbprint>”,
“Use”: “Any”
}
]
},
“PartnerIdentityProviderConfigurations”: [
{
“Name”: “<a href=“https://myApp”,”>https://myApp",
“Description”: “…”,
“SignAuthnRequest”: true,
“SingleSignOnServiceUrl”: “<some_url>”,
“SingleLogoutServiceUrl”: “<some_url>”,
“ArtifactResolutionServiceUrl”: “<some_url>”,
“NameIDFormat”: “<some_url>”,
“PartnerCertificates”: [
{
“String”: “asdashdASDHKASUDHalskdnasdk”,
“Use”: “Signature”
},
{
“String”: “sdfsadlfknOIASDOASDhasasdasdasd”,
“Use”: “Encryption”
}
]
}
]
}

So as you can see, we are using 2 certificates for Partner Identity Provider. One for signature and one for encryption. Could anyone please tell me how the configuration for saml.config for my ASP.NET project? The example that came with the installation had this in saml.config:

<PartnerIdentityProvider Name=“<a href=“http://MvcExampleIdentityProvider””>http://MvcExampleIdentityProvider"
Description=“MVC Example Identity Provider”
SignAuthnRequest=“true”
SingleSignOnServiceUrl=“<a href=“http://localhost:52801/SAML/SSOService””>http://localhost:52801/SAML/SSOService"
SingleLogoutServiceUrl=“<a href=“http://localhost:52801/SAML/SLOService””>http://localhost:52801/SAML/SLOService"
PartnerCertificateFile=“Certificates\idp.cer”/>

And I don’t know how to specify in the configuration that I want to use one certificate for signing and one certificate for encryption.

Any help greatly apprecited. Thank you in advance.

ComponentSpace · January 12, 2019, 12:59am

I’m afraid specifying different encryption and signature certificate currently isn’t supported.
Usually this isn’t an issue as it’s easier to manage one rather than two certificates.
Our recommendation is to use the same certificate for signing and encryption.
There are no security concerns in doing this and it means there’s one less certificate to manage.
If you must use separate certificates, please advise and the reasons for this.