Hi all,
Really great toolkit - glad I was able to find it!
I am a total newbie when it comes to SAML configuration with or without Component Space toolkit. Please don’t shoot me if my questions are immensely naive!
I am trying to configure our app as a service provider with two identity providers:
1. Azure AD
2. Ping ID
Everything on the application development side works find - no help needed there. I was also able to configure the identity providers as well. But here is something I dont understand. This is my local service provider configuration
LocalServiceProviderConfiguration = new LocalServiceProviderConfiguration()
{
Name = “id”,
Description = “Example Service Provider”,
AssertionConsumerServiceUrl = "<a href=“https://localhost:5001/login/saml",">https://localhost:5001/login/saml”,
LocalCertificates = new List()
{
new Certificate()
{
FileName = “certificates/some.pfx”,
Password = “something”
}
}
}
And here is my configuration for Azure AD
new PartnerIdentityProviderConfiguration()
{
Name = "<a href=“https://sts.windows.net/..................................../“,”>https://sts.windows.net/..................................../”,
Description = “Azure”,
SingleSignOnServiceUrl = "<a href=“https://login.microsoftonline.com/......................../saml2",">https://login.microsoftonline.com/......................../saml2”,
SingleLogoutServiceUrl = "<a href=“https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0",">https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0”,
PartnerCertificates = new List()
{
new Certificate()
{
FileName = “certificates/azure.cer”
}
}
}
This code works. But how can it work? I am using a PFX certificate on the service provider side and nothing links that to Azure. I didn’t upload a CER / PEM file anywhere. Instead, I downloaded a CER file from Azure and using it as a partner certificate. Shouldn’t this fail since I m encrypting messages that Azure can’t decrypt?
Ping ID DOES require a certificate. How would this configuration change to use both idPs?
Thanks
We’re always happy to answers questions so please don’t worry about that.
The local certificate is used to sign SAML messages sent to the IdP or to decrypt SAML assertions received from the IdP. If neither occurs this certificate isn’t used and in fact doesn’t need to be configured.
The SAML authn request sent to the IdP as part of SP-initiated SSO is signed using the local certificate’s private key, if the PartnerIdentityProviderConfiguration.SignAuthnRequest property is set to true. Even if the authn request is signed, if the IdP isn’t configured with the SP’s certificate it will most likely ignore the signature and continue to process the authn request. Not all IdPs support verifying authn request signatures.
Encryption of the SAML assertion isn’t commonly performed although of course we do support it. PartnerIdentityProviderConfiguration.WantAssertionEncrypted requires the SAML assertion to be encrypted and the local certificate’s private key is used to perform the decryption.