Hello,
I am working in a IdP-initiated project. I should implement the SSO using SAML. I only have to work on the IdP part. I dont have to touch the SP (thats what they told me).
The client for whom I am working, sent me the IdP certificate and the IdP Metadata. And I have some questions…
1. Should they also sent me the SP certificate and the SP Metadata? I mean, I think there has to be some kind of relationship between the IdP Metadata and the SP Metadata since their share some info, right? (and same for the certificates).
2. The client sent me the certificate. It’s a .cer, but I think I need a .pfx. I was trying to export the .cer as .pfx using the MMC Certificates Snap-In, but the .PFX option it is not allowed (I am attaching a screenshot). Why…?
Could someone help me with this questions?
Thanks in advance,
Jorge
If your site is the IdP and the 3rd party site is the SP, your IdP metadata should be provided to the SP so they can configure their site and the SP should provide you with their SP metadata so you can configure your IdP.
1. Yes, you will need the SP’s metadata so you can configure your IdP. For example, you need to know the assertion consumer service URL which is where you send the SAML response to. This is specified in the SP’s metadata. In general, the IdP and SP exchange SAML metadata. The IdP supplies the SP with the IdP metadata and the SP supplies the IdP with the SP metadata.
2. Is the .CER file the IdP’s or SP’s certificate? If it’s the IdP certificate you will need the .PFX file which includes the private key. This is used to sign the SAML response or assertion sent to the SP. The corresponding certificate/public key needs to be supplied to the SP so they can verify signatures generated by the IdP. This can be supplied either as a .CER file or as part of the IdP metadata. The option to export as a .PFX isn’t available as the certificate doesn’t include a private key.