Read the certificate from Azure key vault and SP authentication scenario

Hello Team,

Dotnet version : 4.7.2

We are currently using ComponentSpace.SAML2 with version 3.2.0.0 for SP initiative flow and it is working. In this case, we are storing the certificate in the local IIS directory and setting the file path LocalCertificateFile.

Now We have one new requirement to read the certificate from Azure Key Vault and use that certificate in the Service provider initiative flow authentication work.

I have read the certificate from the Azure key vault but in this case, we have got the X509Certificate2 object.

How to configure the properties for SAML

Could you please help with this?

Code

var clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var certificateClient = new CertificateClient(new Uri(keyVaultUrl), clientCredential);
try
{
// Retrieve the certificate
KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);

// Extract the public X.509 certificate
X509Certificate2 x509Certificate = new X509Certificate2(certificate.Cer);

localCertificateThumbprint = x509Certificate.Thumbprint;

localCertificateSubject = x509Certificate.Subject;

localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Cert));

localString = Convert.ToBase64String(new X509Certificate2(Encoding.ASCII.GetBytes(localString)).RawData);

}
catch (Exception ex)
{
// Handle exceptions
// ex.Message contains error details
}

LocalServiceProviderConfiguration localServiceProvider = GetLocalServiceProviderConfiguration(configurationID);
//localServiceProvider.LocalCertificateString = localString;
//localServiceProvider.LocalCertificateFile = localString;
localServiceProvider.LocalCertificateString = localString;
localServiceProvider.LocalCertificateThumbprint = localCertificateThumbprint;
localServiceProvider.LocalCertificateSubject = localCertificateSubject;


You need to include the private key in the exported certificate.

For example:


var certificateString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12));



You can then specify this through the LocalCertificateString property.


localServiceProvider.LocalCertificateString = certificateString;



Don’t specify other properties such as LocalCertificateThumbprint etc.

Later releases of the SAML library have more direct support for the Azure key vault as described in the applicable Certificate Guide.


I have uploaded the .pfx file on Azure Key Vault.
In above code, I have made the changes
try
{
// Retrieve the certificate
KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);
// Extract the public X.509 certificate
X509Certificate2 x509Certificate = new X509Certificate2(certificate.Cer);
//localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12));
//both option checked
localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pfx));
}
catch (Exception ex)
{
// Handle exceptions
// ex.Message contains error details
}

localServiceProvider.LocalCertificateString = localString;
localServiceProvider.LocalCertificatePassword = “xxx”;

ComponentSpace.SAML2.Exceptions.SAMLCertificateException: ‘The X.509 certificate could not be loaded from the string "’ CryptographicException: The specified network password is not correct.

But I have checked password is correct which is same as to file path scenario from local

Could you please help on this.

Thanks

The certificate file password is only relevant for loading the certificate from the file.

If you wish to password protect the exported certificate, you need to use the Export method overload that takes a password.

For example:


var certificateString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12, “topsecret”));



You then specify both the LocalCertificateString and LocalCertificatePassword.


localServiceProvider.LocalCertificateString = certificateString;
localServiceProvider.LocalCertificatePassword = “topsecret”;



For more information, please refer to the Microsoft documentation on the X509Certificate.Export method.