Required format for IdP certificate

naxtell · October 22, 2020, 8:59am

I have a client that is currently using the Low Level API implementation with SAML v2.0 for .NET4 (2.5.0.0). We are planning an upgrade to the latest version and have purchased the upgraded ComponentSpace software, however the Identity Provider is updating their certificate this weekend. They have provided x509 certificate supposedly in ~~DER~~ PEM(?) format.
[quote]-----BEGIN CERTIFICATE-----
[…]
-----END CERTIFICATE-----[/quote]
In an old email from the original developer he states the following, however we don’t have any process documented:
[quote]I converted the certificate that [the Identity Provider] sent to the format that the ComponentSpace SAML library wants… [/quote]
When I look at the CER file that the developer generated in NotePad++, I see a lot of special characters along with some plain text that reads “DigiCert” and also the name of the Identity Provider.
Could you tell me what I should do to generate the CER file that ComponentSpace requires?
Thanks!

naxtell · October 22, 2020, 1:05pm

I believe the previous developer may have used the sample project MetadataExample as I see some customizations. I can’t tell how the developer made it from there to generating a CER file that ComponentSpace can use in the following Verify() call:

var x509Certificate = X509Certificate2(fileName, null, X509KeyStorageFlags.MachineKeySet);
if (SAMLMessageSignature.Verify(samlResponseXml, x509Certificate))
{
samlResponse = new SAMLResponse(samlResponseXml);
}

When I attempt to simply use the PEM certificate, the Verify function fails.

ComponentSpace · October 22, 2020, 2:43pm

We use the X509Certificate2 class to load certificates. Certificates can either be in ASCII (ie PEM/PKCS7) or binary (ie DER) encoding.

If you can double click the certificate file and Windows opens it as a certificate, it should load through the X509Certificate2 class.

If you’re seeing non-printing characters, it’s most likely in the binary DER format. However, the ASCII format with the optional -----BEGIN CERTIFICATE-----/-----END CERTIFICATE----- markers is perfectly acceptable and more commonly used. You should be able to use the provided certificate without requiring any conversion.