I recently got FederationMetadata.xml from a new Identity Provider we are supposed to integrate with that has 2 certificates defined in their metadata. One for encryption, and another for signing.
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
…
…
<KeyInfo xmlns=”“>http://www.w3.org/2000/09/xmldsig#”>
…
When I run their metadata through the ImportMetaData sample code I get 2 certificates and this saml.config file
<?xml version="1.0"?>
<IdentityProvider Name=“TODO: value required”
LocalCertificateFile=“TODO: value required” />
<ServiceProvider Name=“TODO: value required”
LocalCertificateFile=“TODO: value required”
AssertionConsumerServiceUrl=“TODO: value required” />
<PartnerIdentityProvider Name=“<a href=“http://fs.example.com/adfs/services/trust””>http://fs.example.com/adfs/services/trust"
PartnerCertificateFile=“TODO: value required”
SingleLogoutServiceUrl=“<a href=“https://fs.example.com/adfs/ls/””>https://fs.example.com/adfs/ls/“
NameIDFormat=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
SingleSignOnServiceUrl=”<a href=“https://fs.example.com/adfs/ls/”“>https://fs.example.com/adfs/ls/” />
<PartnerServiceProvider Name=“<a href=“http://fs.example.com/adfs/services/trust””>http://fs.example.com/adfs/services/trust"
PartnerCertificateFile=“TODO: value required”
SingleLogoutServiceUrl=“<a href=“https://fs.example.com/adfs/ls/””>https://fs.example.com/adfs/ls/“
NameIDFormat=“urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress”
AssertionConsumerServiceUrl=”<a href=“https://fs.example.com/adfs/ls/”“>https://fs.example.com/adfs/ls/”
SignAssertion=“true” />
From what I understand the only part I really care about from that config is the PartnerIdentityProvider section. If that is the case what do I need to do to the config file to add the 2 different certificates?
I am using the high level API with a basic SAMl.config file in the code.
ADFS metadata includes both an IDPSSODescriptor and SPSSODescriptor as it can act as both an IdP and SP.
Generally however ADFS is used as the IdP only, which sounds like your case too.
The ImportMetadata tool will generate a entry from the IDPSSODescriptor and a entry from the SPSSODescriptor .
If the entry isn’t required then simply delete it from your saml.config.
The IDPSSODescriptor includes both a signing certificate and an encryption certificate.
The signing certificate will be used to verify XML signatures generated by ADFS (eg the signed SAML assertion).
This is specified in the as the PartnerCertificateFile.
The encryption certificate can be ignored.
The identity provider shouldn’t specify an encryption certificate as it’s not used.
Encryption of SAML assertions, attributes or identifiers is always done using the service provider’s certificate.
In other words, the identity provider encrypts using the service provider’s public key and the service provider decrypts with the service provider’s privet key.
The identity provider doesn’t get to specify which certificate to use for encryption.
Generally however ADFS is used as the IdP only, which sounds like your case too.
The ImportMetadata tool will generate a entry from the IDPSSODescriptor and a entry from the SPSSODescriptor .
If the entry isn't required then simply delete it from your saml.config.
The IDPSSODescriptor includes both a signing certificate and an encryption certificate.
The signing certificate will be used to verify XML signatures generated by ADFS (eg the signed SAML assertion).
This is specified in the as the PartnerCertificateFile.
The encryption certificate can be ignored.
The identity provider shouldn't specify an encryption certificate as it's not used.
Encryption of SAML assertions, attributes or identifiers is always done using the service provider's certificate.
In other words, the identity provider encrypts using the service provider's public key and the service provider decrypts with the service provider's privet key.
The identity provider doesn't get to specify which certificate to use for encryption.
Thank you so much. Looks like it worked.
You’re welcome.