ComponentSpace

Forums



SSO High Level Skip SP.PFX Authentication


SSO High Level Skip SP.PFX Authentication

Author
Message
Kin
Kin
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 16
Hi support, recently we integrated and deployed our product with sso capability into our customer environment. While doing testing, we always receive SAML response error after successful login at ADFS authentication page. We notice that the underlying problem is coming from sp.pfx.

We are aware that sp.pfx and sp.cer are required in order to inittiate SSO. But our client refused to provide sp.pfx due to security concern. We are in the midst of struggling to overcome this. We would like to know, is it possible to skip, or not include sp.pfx certificate at all in order to initiate SSO without SAML response error?

Please kindly let me know any work around or solution to cater this as it is a critical level of urgency to us.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
What is the underlying problem with the sp.pfx?
What errors are in the Windows event log on the ADFS server?
Is your client the owner of the SP site that you developed?
If so, and they don't wish for you to have access to their private key, they will need to update the saml.config themselves to specify the PFX file.

Regards
ComponentSpace Development
Kin
Kin
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 16
ComponentSpace - 3/7/2019
What is the underlying problem with the sp.pfx?
What errors are in the Windows event log on the ADFS server?
Is your client the owner of the SP site that you developed?
If so, and they don't wish for you to have access to their private key, they will need to update the saml.config themselves to specify the PFX file.

SP site is owned by our client, but their argument is other applications do not require private key certificate yet they are able to initiate SSO. We tried to convince them it is the backbone of the library and it is required but they still refuse to distribute certificate with private key.

I believe their objective is, achieve SSO with just .cer certificate without private key. 

Please kindly advise whether above mentioned is achievable?
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The private key (ie PFX file) should not be distributed. It's used by their SP site but isn't required by the IdP or any other party.
We do not enforce the use of a private key.
The SP doesn't need a private key unless either SAML messages are to be signed or SAML assertions are encrypted.
If the IdP is using ADFS, the SAML authn requests sent to ADFS don't have to be signed.
However, if you wish to support SAML logout, ADFS requires all SAML messages to be signed.
This is a requirement of ADFS. It's not a limitation on our side.
Therefore, your choices when ADFS is the IdP are:
1. Don't configure a private key in the SP, don't sign SAML authn requests, but don't support SAML logout.
2. Configure a private key in the SP, sign SAML authn requests, support SAML logout.

Regards
ComponentSpace Development
Kin
Kin
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 16
ComponentSpace - 3/7/2019
The private key (ie PFX file) should not be distributed. It's used by their SP site but isn't required by the IdP or any other party.
We do not enforce the use of a private key.
The SP doesn't need a private key unless either SAML messages are to be signed or SAML assertions are encrypted.
If the IdP is using ADFS, the SAML authn requests sent to ADFS don't have to be signed.
However, if you wish to support SAML logout, ADFS requires all SAML messages to be signed.
This is a requirement of ADFS. It's not a limitation on our side.
Therefore, your choices when ADFS is the IdP are:
1. Don't configure a private key in the SP, don't sign SAML authn requests, but don't support SAML logout.
2. Configure a private key in the SP, sign SAML authn requests, support SAML logout.

Our side is SP, and the ADFS serves as IDP. Based on your explanation, here is what I understand 
1) .pfx file is not mandatory, but without that SAML logout will fail correct?
2) To configure private key in the SP, meaning .pfx file is required just to support SAML logout?

May I know, if I would like to go with point 1, in which area I need to configure so that without sp.pfx, my application still able to receive SAML response and login the application successfully? 

In my simulation environment, I tried to exclude sp.pfx from the Certificate folder but I get error as this:


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Regarding the two points you listed, your understanding is correct.
To not sign the authn request, on the SP side you need to set SignAuthnRequest to false in your saml.config.
You can also remove the LocalCertificateFile and LocalCertificatePassword.
In ADFS you need to delete the certificate under the Signature tab of the relying party's properties.
You should also delete the certificate, if any, under the Encryption tab as you don't want the SAML assertion encrypted.

Regards
ComponentSpace Development
Kin
Kin
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 16
ComponentSpace - 3/7/2019
Regarding the two points you listed, your understanding is correct.
To not sign the authn request, on the SP side you need to set SignAuthnRequest to false in your saml.config.
You can also remove the LocalCertificateFile and LocalCertificatePassword.
In ADFS you need to delete the certificate under the Signature tab of the relying party's properties.
You should also delete the certificate, if any, under the Encryption tab as you don't want the SAML assertion encrypted.

Thanks for the advice. I tried to simulate without signing the authen request and I am able to login successfully.

As you have just mentioned, the logout event is broken down. I believe client may have strict concern and complain about this as well.

Sorry about this question but, is there other alternatives to execute a 'clean' logout through program control, or alternatives to achieve backend signout (such as delete cookie)?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The alternatives to the SAML logout are:
1. Logout locally at the SP and leave the user logged in at ADFS.
2. Logout locally at the SP and ask the user to close the browser to discard the ADFS authentication cookie.
I wouldn't advise attempting to delete cookies etc as a general solution.
It would be better to sign SAML messages and get your client to provide the private key.
If they're unhappy about configuring the PFX file themselves, they could install the certificate and private key into the Windows certificate store on the SP server and have saml.config reference this rather than using a PFX file.

Regards
ComponentSpace Development
Kin
Kin
New Member
New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)New Member (9 reputation)

Group: Forum Members
Posts: 7, Visits: 16
ComponentSpace - 3/7/2019
The alternatives to the SAML logout are:
1. Logout locally at the SP and leave the user logged in at ADFS.
2. Logout locally at the SP and ask the user to close the browser to discard the ADFS authentication cookie.
I wouldn't advise attempting to delete cookies etc as a general solution.
It would be better to sign SAML messages and get your client to provide the private key.
If they're unhappy about configuring the PFX file themselves, they could install the certificate and private key into the Windows certificate store on the SP server and have saml.config reference this rather than using a PFX file.
Thanks for the advice. I believe import into windows certificate store might be a preferable approach.

I'm conducting the testing in my own environment. By following the certificate documentation guideline I have successfully imported the .pfx cert into the cert store as following:


I also have my saml-config as following


But I keep on getting error as following:


May I know which part I have configured wrongly? In the window cert store or saml-config?

ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You should import the certificate into the LocalMachine store rather than the CurrentUser and remove the LocalCertificateStoreLocation in your saml.config.
From your images, it appears you did import into the LocalMachine store.
If that's the case, simply remove LocalCertificateStoreLocation from your saml.config.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search