ComponentSpace

Forums



IDP metadata has primary and secondary signing certificates


IDP metadata has primary and secondary signing certificates

Author
Message
rogerr
rogerr
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 4, Visits: 21
Not sure if this is a configuration error on the part of the IDP i am trying to use (ADFS) or not but the situation is this.

I am running an component space service provider in my asp.net/mvc site.  component space version is 4.3.0.0

At startup it imports metadata for the IDP using the  MetadataImporter.ImportIdentityProviders method to import a single provider from a URL.

The metadata contains 2 certificates with use="signing" attributes.  One is the providers "primary" cert, the other is its "secondary" certificate.
The order is primary followed by secondary.  Both have the same subject name.

After importing the metadata, there is only one certificate in the certificates folder, and it is that of the secondary certificate.
When the IPD sends a saml response, it is signing it with the primary certificate.

As a result, unless i set the  UseEmbeddedCertificate to true for the provider config, i get a signature verification error when the response is processed.

So my questions are
- is it considered legit or bad practice to set UseEmbeddedCertificate to true?   
  it seems like for maximum security, we should be relying only on the metadata that has been exchanged, not what is in the current request, right?
- is there a way to control which certificate is imported from the metadata if they have the same subject name,  or have it go ahead and import both versions and then try them both or something?
- is this a common situation, hence the availability of the UseEmbeddedCertificate option,  or is this really an error on the part of the IDP setup.  like maybe they shouldn't use the same subject name for both primary and secondary certificates or something.


Thanks 

roger


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Hi Roger,

The UseEmbeddedCertificate option is really only meant for debugging purposes and shouldn't be used in production. The MetadataImporter should import both certificates. At runtime, the first certificate is used to verify the signature and, if that fails, the second certificate is tried.

Would you mind sending the ADFS metadata to [email protected] mentioning your forum post?

I'd like to try to reproduce the issue.

Thanks.

Regards
ComponentSpace Development
rogerr
rogerr
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 4, Visits: 21
ComponentSpace - 8/27/2020
Hi Roger,

The UseEmbeddedCertificate option is really only meant for debugging purposes and shouldn't be used in production. The MetadataImporter should import both certificates. At runtime, the first certificate is used to verify the signature and, if that fails, the second certificate is tried.

Would you mind sending the ADFS metadata to [email protected] mentioning your forum post?

I'd like to try to reproduce the issue.

Thanks.

Thank you.  That's kind of what i figured.
Metadata sent.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks. This is a limitation in how we create the certificate file names. I'll email you a download link to a beta that removes this limitation.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search