ComponentSpace

Forums



Idp with multiple signing certificates


Idp with multiple signing certificates

Author
Message
caracostea
caracostea
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 11
Hi,

I am aware that some IDPs include both encryption and signing certificates in their metadata.
Reading another post on this forum I understood that we must use the signing certificate. All good.

However...
Looking at the Microsoft Azure AD metadata, I've noticed they define 3 (three) such signing certificates.

For some reason, pasting some xml here breaks the editor, but you can access the metadata at the following URL:
https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml

On their support pages, they mention that the SPs must try to validate the signatures against all the signing certificates from their metadata file.
This is supposed to allow gracefully changing certificates. This is also consistent with some other info I've found on other sites, like stackoverflow.com.

This is the URL where they are making the statement, under "Token signing certificates" section:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadata

My question is:
How do we support such IDPs, since the configuration allows only for a single certificate for a partner identity provider?
Windows Server AD FS also easily allows configuring multiple certificates for signing.
Is there a more recent version that supports this scenario?
We are currently using SAML v2.0 for .NET4 version 2.6.0.13 (based on the info in the assembly).

Kindly assist,

Thank you!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Version 2.6.0.15 and above support specifying multiple certificates for the partner identity provider. This can be done either programmatically or through the saml.config file.
For example:
<PartnerIdentityProvider
    Name="XXXX"
    PartnerCertificateFile="1.cer"
    SecondaryPartnerCertificateFile="2.cer"/>

The PartnerCertificateFile is tried first and then the SecondaryPartnerCertificateFile.
Please email us to discuss upgrading to the latest release.

Regards
ComponentSpace Development
caracostea
caracostea
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Forum Members
Posts: 2, Visits: 11
ComponentSpace - 3/15/2017
Version 2.6.0.15 and above support specifying multiple certificates for the partner identity provider. This can be done either programmatically or through the saml.config file.
For example:
<PartnerIdentityProvider
    Name="XXXX"
    PartnerCertificateFile="1.cer"
    SecondaryPartnerCertificateFile="2.cer"/>

The PartnerCertificateFile is tried first and then the SecondaryPartnerCertificateFile.
Please email us to discuss upgrading to the latest release.

Hi,

I've contacted support about the upgrade.
But please tell me... how do we handle three certificates?
Wouldn't it be better that instead of single properties for each certificate we'd have collections?

Thank you!
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The current SAML configuration supports two certificates only - the primary and a secondary certificate.
The underlying API code does support collections of certificates with no limit on the number.
For the great majority of use cases, there are no more than two certificates in play which is what the SAML configuration supports.
If you have to support more than two certificates, you need to implement your own ComponentSpace.SAML2.Certificates.ICertificateManager.
This includes methods that return IList<X509Certificate2>.
However, my recommendation is to support two certificates only through the configuration.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search