Not sure if this is a configuration error on the part of the IDP i am trying to use (ADFS) or not but the situation is this.
I am running an component space service provider in my asp.net/mvc site. component space version is 4.3.0.0
At startup it imports metadata for the IDP using the MetadataImporter.ImportIdentityProviders method to import a single provider from a URL.
The metadata contains 2 certificates with use=“signing” attributes. One is the providers “primary” cert, the other is its “secondary” certificate.
The order is primary followed by secondary. Both have the same subject name.
After importing the metadata, there is only one certificate in the certificates folder, and it is that of the secondary certificate.
When the IPD sends a saml response, it is signing it with the primary certificate.
As a result, unless i set the UseEmbeddedCertificate to true for the provider config, i get a signature verification error when the response is processed.
So my questions are
- is it considered legit or bad practice to set UseEmbeddedCertificate to true?
it seems like for maximum security, we should be relying only on the metadata that has been exchanged, not what is in the current request, right?
- is there a way to control which certificate is imported from the metadata if they have the same subject name, or have it go ahead and import both versions and then try them both or something?
- is this a common situation, hence the availability of the UseEmbeddedCertificate option, or is this really an error on the part of the IDP setup. like maybe they shouldn’t use the same subject name for both primary and secondary certificates or something.
Thanks
roger
Hi Roger,
The UseEmbeddedCertificate option is really only meant for debugging purposes and shouldn’t be used in production. The MetadataImporter should import both certificates. At runtime, the first certificate is used to verify the signature and, if that fails, the second certificate is tried.
Would you mind sending the ADFS metadata to support@componentspace.com mentioning your forum post?
I’d like to try to reproduce the issue.
Thanks.
[quote][/quote]
Hi Roger,
The UseEmbeddedCertificate option is really only meant for debugging purposes and shouldn't be used in production. The MetadataImporter should import both certificates. At runtime, the first certificate is used to verify the signature and, if that fails, the second certificate is tried.
Would you mind sending the ADFS metadata to support@componentspace.com mentioning your forum post?
I'd like to try to reproduce the issue.
Thanks.
The UseEmbeddedCertificate option is really only meant for debugging purposes and shouldn't be used in production. The MetadataImporter should import both certificates. At runtime, the first certificate is used to verify the signature and, if that fails, the second certificate is tried.
Would you mind sending the ADFS metadata to support@componentspace.com mentioning your forum post?
I'd like to try to reproduce the issue.
Thanks.
Thank you. That's kind of what i figured.
Metadata sent.
Thanks. This is a limitation in how we create the certificate file names. I’ll email you a download link to a beta that removes this limitation.