PartnerCertificates in PartnerProviderConfiguration can handle both expired and non-expired certificates

Hi,
Can PartnerCertificates in PartnerIdentityProviderConfiguration handle both expired and non-expired certificates to validate the SAML Assertion?

We have a scenario where the existing certificate can expire in the future and want to add support to load the backup certificate (with a long expiry date than the existing one) in PartnerCertificates. So that if the SAML Assertion validation fails with the expired certificate, Can ComponentSpace SAML validate with other certificates (non-expired ones) from the list of PartnerCertificates?

When I have both
expired and non-expired certificates in PartnerCertificates
, receiving the following error:


ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate could not be loaded from the string.
—> ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate with subject name E=info@idp.com, CN=test, OU=SSOProvider, O=idp, L=San Francisco, S=California, C=US, serial number 00B08FEA3C1A0CFC68 and thumbprint 5E101179FC71B1A61312EE0D945A1BECD4216EE0 failed to validate.
at ComponentSpace.Saml2.Certificates.CertificateLoader.ValidateCertificate(X509Certificate2 x509Certificate)
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
— End of inner exception stack trace —
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList certificates, CertificateUse certificateUse)
at ComponentSpace.Saml2.Certificates.CertificateManager.GetPartnerIdentityProviderCertificatesAsync(PartnerIdentityProviderConfiguration partnerIdentityProviderConfiguration, CertificateUse certificateUse)
at ComponentSpace.Saml2.SamlServiceProvider.GetPartnerProviderSignatureCertificatesAsync(Boolean precondition)
at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlResponseSignatureAsync(XmlElement samlResponseElement)
at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()

Please, advise.
Thanks

By default we check for expired certificates.

This check can be turned off through the CertificateValidationOptions.


using ComponentSpace.Saml2.Certificates;
using ComponentSpace.Saml2.Configuration;
using ComponentSpace.Saml2.Session;

services.Configure(options =>
{
options.EnableNotAfterCheck= false;
});

// Add SAML SSO services.
services.AddSaml(Configuration.GetSection(“SAML”));



Thanks for replying.
As I understand from your reply is that the feature isn’t available from ComponentSpace SAML. Am I right?
If so, why there is a list of PartnerCertificates? In my case, it has both expired and non-expired certificates in it and ComponentSpace SAML could evaluate each certificate and validate the incoming SAML Assertion before throwing that none of the certificates in PartnerCertificates are valid.

You need to turn off the certificate validation for this to work.

We will consider changing this functionality in a future release so this isn’t necessary.

This would also be useful functionality for my org. I’m surprised that having expired and non-expired certs wasn’t thought of in the original implementation. And the exception message isn’t obvious at all. As the previous poster indicated, this defeats the purpose of supporting a list of certificates. Why wouldn’t it validate only the certificate in the current request?

The current implementation is causing problems for my customers, so we’ve created a custom implementation of ISamlConfigurationResolver to remove the expired certs from the list before ComponentSpace tries to validate them. Hope that workaround can help others struggling with this issue.

Thank you for your feedback.

We’ll look to include more specific exception messages (eg certificate has expired rather than certificate failed to validate).

I’d like to see what you think of the following.

Suppose there are two partner certificates configured - one has expired and the other hasn’t.

If a SAML response is received that’s signed with the unexpired certificate, this should succeed.

However, if a SAML response is received that’s signed with the expired certificate, what should happen? If certificate validation is enabled, we’ll throw an exception and SSO will fail. If certificate validation has been turned off, signature verification and SSO should succeed.

What do you think?

[quote]
ComponentSpace - 11/28/2022
Thank you for your feedback.

We'll look to include more specific exception messages (eg certificate has expired rather than certificate failed to validate).

I'd like to see what you think of the following.

Suppose there are two partner certificates configured - one has expired and the other hasn't.

If a SAML response is received that's signed with the unexpired certificate, this should succeed.

However, if a SAML response is received that's signed with the expired certificate, what should happen? If certificate validation is enabled, we'll throw an exception and SSO will fail. If certificate validation has been turned off, signature verification and SSO should succeed.

What do you think?
[/quote]

If certificate validation has been turned on and before throwing an error, the ComponentSpace could validate the incoming SAMLResponse with the certificates (both expired and non-expired) from the list of PartnerCertificates.

Yes, but if certificate validation is enabled and the SAML response is signed using the expired certificate, what should we do? I’m suggesting we throw an exception and the SSO fails.

[quote]
ComponentSpace - 11/28/2022
Yes, but if certificate validation is enabled and the SAML response is signed using the expired certificate, what should we do? I'm suggesting we throw an exception and the SSO fails.
[/quote]

In that case, we should still fail because the certificate is expired.

We’re in agreement. I’ll wait to hear back from the other poster as well.

[quote]
ComponentSpace - 11/28/2022
We're in agreement. I'll wait to hear back from the other poster as well.
[/quote]

Agreed. That makes sense to me as well.

Thank you. There should be a beta available next week. Someone will contact you when it’s ready.

Please contact support@componentspace.com if you’re interested in trying the beta.

[quote]
ComponentSpace - 12/5/2022
Please contact support@componentspace.com if you're interested in trying the beta.
[/quote]

I can try the beta version; will contact you.
Thanks!

The beta is ready. Contact support when you’re ready to try it.

Thanks.

[quote]
ComponentSpace - 12/13/2022
The beta is ready. Contact support when you're ready to try it.

Thanks.
[/quote]

I sent an email to support@componentspace.com. Pls reach out to me.

A download link has been sent. Thanks.

[quote]
ComponentSpace - 1/25/2023
A download link has been sent. Thanks.
[/quote]

It works. Thanks for taking care.

You’re welcome. Thanks for reporting back.

In what version of the library is the multiple partner certificates supported? We are looking for phased rollover of expired certificates.

Thank you!