The partner Idp has specified different certificates for signing vs encryption in the metadata file. I want to confirm that in SamlConfiguration for PartnerCertificateFile property, I should point to the signing certificate of partner Idp. Can you please clarify how this should be handled?
That’s correct. You should specify the signing certificate for the partner identity provider. You should store the certificate either on the file system as a .cer file or in the Windows certificate store. The following article describes how to reference the certificate in the SAML configuration. http://www.componentspace.com/Forums/44/X.509-Certificate-Management
What should happen with the encryption certificate in that case? I do not see a way to configure encryption certificate in PartnerIdentityProviderConfiguration class.
The partner IdP’s encryption certificate should be ignored as it’s not used for anything. The only encryption certificate that would be used is the SP’s. The SP’s encryption certificate is used if the SAML assertion is to be encrypted.
The partner IdP's encryption certificate should be ignored as it's not used for anything. The only encryption certificate that would be used is the SP's. The SP's encryption certificate is used if the SAML assertion is to be encrypted.
[/quote]
Hi I was struggling for two certificates with one service provider. You mentioned that SP's encryption certificate is used for assertion encryption. How do we manage this for your ComponentSpace library?
We are IDP and our partner as SP sends two certificates for signing and encryption as metadata. But ComponentSpace library imports only one certificates. Is there anyway grab all certificates and imports them then use them separately for signing and encryption at SendSSO?
Currently there’s a limitation in that we don’t distinguish between signature and encryption certificates in the SAML configuration. In most use cases the same certificate is used for both. If the partner SP requires you would need to implement a custom ICertificateManager. However, I would first ask the SP if they could use a single certificate instead. If they’re unwilling to do this, I can provide details on how to implement ICertificateManager.
Currently there's a limitation in that we don't distinguish between signature and encryption certificates in the SAML configuration. In most use cases the same certificate is used for both. If the partner SP requires you would need to implement a custom ICertificateManager. However, I would first ask the SP if they could use a single certificate instead. If they're unwilling to do this, I can provide details on how to implement ICertificateManager.
[/quote]
Thanks for your support. Actually there is no way we can avoid two certificates at this time. Please advise me how I could accomplish in custom way.
Please contact support@componentspace.com mentioning your requirement for separate certificates. We can discuss the available options and will look at whether we can add better support in the timeframe.