use user certificate store to load key for sing and encryption

Hi ,
As far as I can see in the documentation , the certificate manager supports loading private key from the user storage as well as files. However I have yet to find out a low level API or high level API on how to load the private key from the windows certificate storage(machine or user) and use in the SAML SP or IDP side.
Any guid to the right documentation will be much appreciated.
One thing to set out here is what I’m looking for is to let SAMLSP or IDP to use the private key from there store without specifying password and let the machine crypto works with SAML to sign or encrypt when is needed.
I hope it make sense.


Please take a look at the following article. It describes specifying a certificate and private key either stored in the file system or in the Windows certificate store.

The certificate and private may be installed into the computer (not current user) Windows certificate store. It can then be specified by subject DN, serial number of thumbprint.
Let me know if you have any other questions.

Thanks. this looks good but I have seen this .My challenge is how can I do the same in the low level API and if I can anagrammatically call this to read from specific store( it could be a user store rather than machine store since the application pool on IIS runs on specific account)

If you’re using the low-level API all you need to do is supply an X509Certificate object. You control how you load the certificate etc. The .NET framework class System.Security.Cryptography.X509Certificates.X509Store may be used to load the certificate from the Windows certificate store. You have full control including specifying which store to use.
If you’re using the high-level API and wish to retrieve certificates from the Windows certificate store for a particular user account, you can implement the ICertificateManager interface which is described in our Developer Guide.

Awsome . will do . managed to use the machine store using the high level API and it works like a charm. struggling to force Authrequest to be digitally signed despite the fact that cert is loaded and I configured the partneridentityprovider configuration to set Authrequestsigned to true.

If you’re using the default HTTP-redirect SAML binding then the authn request doesn’t include an XML signature. Instead, as per the SAML binding specification, a different type of signing occurs that includes the signature as an additional query string parameter. I’m not sure if that’s what you are seeing.
You’re welcome to send me your SAML config file and log file and I can take a look. It’s best to email these to
The following topic describes how to enable SAML trace.

we made a good progress using Certificate in the machine store to do sign or encrypt perfectly. however wondering if we can specify to load certificate from User store using high level protocol.
is it possible?

You would need to write a custom ICertificateManager. Our Developer Guide describes who to do this.

Your customer certificate manager would then load certificates from the user store.

However, our recommendation is to store certificates in the machine store rather than in a user store.