Hello,
We have just been informed by our client who using ADFS Idp, and we are SP for the SSO.
The certificate (token signing certificate) currently used by their ADFS IdP will soonly be expired.
But in our side we only using a local (sp.pfx) certificate to sign the authentication request with componentspace api like this:
I don’t understand why and which cert should we update from our side …
The relying party in ADFS idp is configured to sign with the cer certificate like below:
Encryption certificate: not configured
Signature:
In the ADFS console ,the client have the token signing cert that will expire soon
Thank you in advance
The certificates under the relying party’s Encryption and Signature property tabs are the service provider’s certificates. The signature certificate is used by ADFS to verify signatures on SAML messages sent by your service provider (SP). The encryption certificate, if present, is used by ADFS to encrypt SAML assertions sent to your SP.
The token signing certificate under Service > Certificates is the certificate used by ADFS to sign messages it sends to SPs.
Your code shows you are using the SAML low-level API. I presume you have an assertion consumer service endpoint where you receive and process SAML responses from identity providers such as ADFS. As part of this processing, you should be verifying the signature on the SAML assertion or SAML response. You use the ADFS token signing certificate to verify these signatures.
Make sure to update your code to use the new certificate for signature verification once it comes into effect.
If you were using the SAML high-level API, it would be a matter of simply updating the SAML configuration (eg saml.config file) to include the new certificate. The high-level API would attempt to verify signatures using the old certificate, and if that doesn’t work, the new certificate. This makes certificate rollover more straightforward.
Hello,
[quote]I presume you have an assertion consumer service endpoint where you receive and process SAML responses from identity providers such as ADFS. As part of this processing, you should be verifying the signature on the SAML assertion or SAML response. You use the ADFS token signing certificate to verify these signatures.[/quote]
yes and here is the section code where assertion is processed:
It is working and we never had to install any other certificate…
I presume that The embedded signing certificate is used …??
Thank you
Your understanding is correct. You’re using the certificate embedded in the XML signature.
However, this is a serious potential security risk as anyone could send you a signed SAML response and you wouldn’t know. The signature would verify but you have no way to check who actually sent the SAML response.
That’s why you should use a certificate you’ve received out-of-band from the identity provider and use this certificate to verify signatures.
[quote][/quote]
Your understanding is correct. You're using the certificate embedded in the XML signature.
However, this is a serious potential security risk as anyone could send you a signed SAML response and you wouldn't know. The signature would verify but you have no way to check who actually sent the SAML response.
That's why you should use a certificate you've received out-of-band from the identity provider and use this certificate to verify signatures.
However, this is a serious potential security risk as anyone could send you a signed SAML response and you wouldn't know. The signature would verify but you have no way to check who actually sent the SAML response.
That's why you should use a certificate you've received out-of-band from the identity provider and use this certificate to verify signatures.
Ok thank you
but i have a question , what is the the embeded signing certificate ?
is it a certificate embeded in a the ADFS saml assertion ?
Yes. The certificate is embedded by ADFS when it signs the SAML assertion.
If it were a CA issued certificate you could perhaps trust this certificate as long as the certificate chain was valid and the subject DN correct. However, by default ADFS and many other providers use self-signed certificates so they can’t be trusted directly. You need to have received the certificate previously from a trusted source.
We find the embedded certificate useful when debugging signature verification failures. If the embedded certificate doesn’t match the configured certificate used to perform the signature verification it means the IdP has rolled over to a new certificate and the SP needs to update its configuration with the new certificate from the IdP.