ComponentSpace

Forums



An x509 certificate for the local identity provider hasn't been configured


An x509 certificate for the local identity provider hasn't been...

Author
Message
dmarlow
dmarlow
Junior Member
Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)

Group: Forum Members
Posts: 38, Visits: 174
I'm getting the following error when attempting to perform an IdP (us) initiated SSO to a SP (customer). 

ComponentSpace.SAML2.Exceptions.SAMLConfigurationException: An X.509 certificate for the local identity provider hasn't been configured.
 at ComponentSpace.SAML2.Configuration.SAMLConfiguration.GetLocalIdentityProviderCertificate(String partnerServiceProviderName) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\Configuration\SAMLConfiguration.cs:line 672
 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.CreateSAMLResponse(String userName, SAMLAttribute[] attributes, String statusCode, String statusMessage, String assertionConsumerServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLIdentityProvider.cs:line 519
 at ComponentSpace.SAML2.InternalSAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, String relayState, String partnerSP, String assertionConsumerServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\InternalSAMLIdentityProvider.cs:line 650
 at ComponentSpace.SAML2.SAMLIdentityProvider.InitiateSSO(HttpResponseBase httpResponse, String userName, SAMLAttribute[] attributes, String relayState, String partnerSP, String assertionConsumerServiceUrl) in c:\Sandboxes\ComponentSpace\SAMLv20\Library\SAMLIdentityProvider.cs:line 238


I do have a certificate specified and configured for use.

var config = new SAMLConfiguration
{
  LocalIdentityProviderConfiguration = new LocalIdentityProviderConfiguration
  {
   Name = "...",
   LocalCertificateFile = "...",
   LocalCertificatePassword = "...."
  }
};


I am, however, using the ICertificateManager store. I'm only using the certificate manager to specify custom certificates to use for a specific service provider. Should I also be registering it there or am I wrong to be doing things in two separate places? I was thinking what I have above would be the default and I didn't need to specify it elsewhere.

Thanks,

Dariel
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Hi Dariel
If you specify an ICertificateManager then it's assumed to handle all requests for certificates. We don't call the ICertificateManager and then the default certificate manager.
You could implement your ICertificateManager by calling the default CertificateManager for those certificates you aren't handling directly.
Your certificate manager would need to initialize the default certificate manager as follows.

var defaultCertificateManager = new CertificateManager();
defaultCertificateManager.Initialize(samlConfiguration);

You would then call the appropriate method on the defaultCertificateManager in your certificate manager if you don't handle this directly.
For example:

public override X509Certificate2 GetLocalIdentityProviderCertificate(string partnerServiceProviderName) {
    return defaultCertificateManager.GetLocalIdentityProviderCertificate(partnerServiceProviderName);
}



Regards
ComponentSpace Development
dmarlow
dmarlow
Junior Member
Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)Junior Member (55 reputation)

Group: Forum Members
Posts: 38, Visits: 174
Thanks, that makes sense.

I'm wondering if it's best to modify our custom certificate manager to add the default certificate, used in the SAMLConfiguration, to AddLocalIdentityProviderCertificate to any that don't have a custom one. Hope that made sense. If I override GetLocalIdentityProviderCertificate, then I must keep track of the custom ones I'm adding and either serve the default or use the custom.
Lines 5-7 is what I'd be adding to account for the default certificate manager.

public void AddSpCertificate(ServiceProviderSamlConfig spSamlConfig, PartnerServiceProviderConfiguration spConfig)
{
  if (spSamlConfig.SsoCertificate == null)
  {
   // This is new..
    // Use the default setup in the SAMLConfiguration for this IdP if a custom one isn't specified for the SP.
   AddLocalIdentityProviderCertificate(spConfig.Name, _defCertMgr.GetLocalIdentityProviderCertificate(spConfig.Name));
   return;
  }

  var cert = new X509Certificate2(spSamlConfig.SsoCertificate, spSamlConfig.SsoCertificatePassword);
  AddLocalIdentityProviderCertificate(spConfig.Name, cert);

  // TODO: store a separate public certificate to validate their certs instead of using embedded cert..
  //AddPartnerServiceProviderCertificate(spConfig.Name, cert);
}



What about when acting as the SP (us) to the IdP (customer)? Our app operates as both SP and IdP. I would imagine that for signing AuthnRequests we'd need to use the certificate in the default certificate manager for any IdP that we aren't specifying a custom signing certificate for.

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)ComponentSpace Development (2.8K reputation)

Group: Administrators
Posts: 2K, Visits: 4.6K
Yes, that's another way to do it.
If you're acting as both the IdP and SP then you would need to ensure you support the GetLocalIdentityProviderCertificate and GetLocalServiceProviderCertificate methods. You could either use the approach I outlined previously or the approach you suggested.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....









ComponentSpace Forums


Search