The local service provider X.509 certificate doesn't have a private key.

SAML for ASP.NET
1

Hi,

I am following http://www.componentspace.com/Forums/39/ADFS-SAML-SSO-ADFS-as-the-Identity-ProviderClaims-Provider to configure my application (SP) to consume SAML Assertions from ADFS 2.0 but I am getting “

The local service provider X.509 certificate doesn’t have a private key.”

I am using sp.cer file when configured the replying party.

Please help.

Thanks,
Muhammad Masood

2

The local service provider certificate file must be a PFX rather than a CER as a private key is required for XML signature generation and/or XML decryption.
If you configured the relying party in ADFS using sp.cer then the local service provider in your saml.config must specify the corresponding sp.pfx.

3
[quote]
ComponentSpace - Thursday, June 16, 2016
The local service provider certificate file must be a PFX rather than a CER as a private key is required for XML signature generation and/or XML decryption.
If you configured the relying party in ADFS using sp.cer then the local service provider in your saml.config must specify the corresponding sp.pfx.
[/quote]

Hi,

Is it possible to use Thumbprint to decrypt?

I am using below configuration:

samlConfiguration.AddPartnerIdentityProvider(new PartnerIdentityProviderConfiguration
{
Name = "http://sts.mmasood.com/adfs/services/trust",
SignAuthnRequest = true,
WantSAMLResponseSigned = false,
WantAssertionSigned = true,
WantAssertionEncrypted = true,
UseEmbeddedCertificate = true,
SingleSignOnServiceUrl = "https://sts.mmasood.com/adfs/ls/"
});

But I am not getting signed assertion. Is there any other setting in ADFS side I am missing or something else?

Thanks,
Muhammad Masood
4

Hi Muhammad
I’m not sure what you mean by using a thumbprint to decrypt. Certificates stored in the Windows certificate store may be identified by their thumbprint versus the subject name or serial number. However, it’s the certificate itself (or more precisely the associated private key) that’s used in the decryption.
How far does the SSO progress before it fails?
Do you login at ADFS?
Is a generic ADFS error message displayed?
If a generic ADFS error message is displayed then you or someone with access to the ADFS server will need to take a look at the Windows event log for ADFS. This should provide a specific error message identifying the problem.
If SAMLServiceProvider.ReceiveSSO is throwing an exception then please include the details.