ComponentSpace

Forums



Updating IdP Certificates


Updating IdP Certificates

Author
Message
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
Hi!

We implemented our SP using your libraries.
A client of ours, that uses ADFS as IdP, now wants to updates his own certificates. So he's going to send us his new FederationMetadata.xml containing the new Base64 certificate string.

To import that file into our system and configuration, we want to use the same method we use when we configure a brand new client:
SnippetMetadataImporter.ImportIdentityProviders


But testing this method I saw that if a configuration for a Partner is already present no updates happen. I mean, no certificates is updated nor appended to the certificates list (for the rollover).

How can we achieve this?

Thank you,
Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)

Group: Administrators
Posts: 3K, Visits: 9.8K
Hi Fabio,

What version of the SAML library are you using?

Just to confirm, are you calling the following method?


public static void ImportIdentityProviders(
    EntityDescriptor entityDescriptor,
    SAMLConfiguration samlConfiguration,
    string certificateFolder)



Metadata.ImportIdentityProviders removes any old entry prior to adding the new entry to the SAML configuration.

If there's still an issue, you're welcome to contact [email protected] and send the following so we can investigate further:

1. saml.config as an email attachment (obfuscate any passwords)
2. ADFS metadata XML as an email attachment
3. section of code where you call Metadata.ImportIdentityProviders

Thanks.

Regards
ComponentSpace Development
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
ComponentSpace - 1/14/2022
Hi Fabio,

What version of the SAML library are you using?

Just to confirm, are you calling the following method?


public static void ImportIdentityProviders(
    EntityDescriptor entityDescriptor,
    SAMLConfiguration samlConfiguration,
    string certificateFolder)



Metadata.ImportIdentityProviders removes any old entry prior to adding the new entry to the SAML configuration.

If there's still an issue, you're welcome to contact [email protected].com and send the following so we can investigate further:

1. saml.config as an email attachment (obfuscate any passwords)
2. ADFS metadata XML as an email attachment
3. section of code where you call Metadata.ImportIdentityProviders

Thanks.

Hi!

we are using version 4.0.0 and yes, that is exactly the method we use to update the configuration.
But it does not seem to work.

These are the steps to reproduce the problem:
1- create a saml.config for an SP and import a metadata for the IdP.
2- take the same ipd metadata and change the base64 certificate string, just to simulate a new one
3- update the previous saml.config using ImportIdentityProviders method
4- the certificate string does not change.

Here's the code section we use to update the file.


Thank you,
Fabio
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
fabio - 1/17/2022
ComponentSpace - 1/14/2022
Hi Fabio,

What version of the SAML library are you using?

Just to confirm, are you calling the following method?


public static void ImportIdentityProviders(
    EntityDescriptor entityDescriptor,
    SAMLConfiguration samlConfiguration,
    string certificateFolder)



Metadata.ImportIdentityProviders removes any old entry prior to adding the new entry to the SAML configuration.

If there's still an issue, you're welcome to contact [email protected] and send the following so we can investigate further:

1. saml.config as an email attachment (obfuscate any passwords)
2. ADFS metadata XML as an email attachment
3. section of code where you call Metadata.ImportIdentityProviders

Thanks.

Hi!

we are using version 4.0.0 and yes, that is exactly the method we use to update the configuration.
But it does not seem to work.

These are the steps to reproduce the problem:
1- create a saml.config for an SP and import a metadata for the IdP.
2- take the same ipd metadata and change the base64 certificate string, just to simulate a new one
3- update the previous saml.config using ImportIdentityProviders method
4- the certificate string does not change.

Here's the code section we use to update the file.


Thank you,
Fabio

Sorry, my bad!
I've been able to import the "new" metadata with the updated certificate right now.
Last week, what i did was to use a fake base64 string: just a random sequence of letters written by me and It didn't work.
This morning I used a real certificate string.
Is there any certificate validation check behind the scene that makes no updates if the certificate string is not valid?

Anyway, this part of the problem seems fixed.
Still there's our need to import another certificate to make it available in a rollover certificate scenario.

If ImportIdentityProviders method overrides anything already present, how can we append another certificate? how can we achieve the rollover?

Thank you,
Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)

Group: Administrators
Posts: 3K, Visits: 9.8K
Hi Fabio,

We validate the certificate string and it will be ignored if it isn't correct.

As you've seen, the MetadataImporter replaces the old certificate with the new certificate. It doesn't keep the old certificate.

Just to confirm, you wish to keep the old certificate but update the configuration with the new certificate so there are two certificates configured for the partner identity provider?
  

Regards
ComponentSpace Development
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
ComponentSpace - 1/17/2022
Hi Fabio,

We validate the certificate string and it will be ignored if it isn't correct.

As you've seen, the MetadataImporter replaces the old certificate with the new certificate. It doesn't keep the old certificate.

Just to confirm, you wish to keep the old certificate but update the configuration with the new certificate so there are two certificates configured for the partner identity provider?
  

Actually, that is not completely correct.

As I told you yesterday, in my lab, I tried to update the IdP config using a new FederationMetadata.xml in which i changed the certificate.
Using a real certificate, the signing certificate string in my saml.config has been overridden.
In this test, I used two totally different certificate: the first one was the one imported from the metadata xml, the second one was a valid one but obtained from another client.
It was just another base 64 cert string, issued by another CA for another customer.

Yesterday, the client that wants to update the certificate sent to us the new FederationMetadata.xml with the new certificates.
I tried to import it as it was and.. it was added to the PartnerIdp certificates along with the old one! And that is exactly what i wanted.
You can see this behaviour in the image where you see both the sign certificates.
https://www.componentspace.com/forums/Uploads/Images/c44c7046-2027-44be-a672-4752.png

Could you please explain to me how it works? When the certificate is overridden and when it is added with the others?

Thank you,
Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)

Group: Administrators
Posts: 3K, Visits: 9.8K
Hi Fabio,

The import is a replacement operation rather than a merge.

We delete the <PartnerIdentityProvider> entry before adding a new <PartnerIdentityProvider> entry.

This means any old <Certificate> entries etc are removed.

The new <PartnerIdentityProvider> entry is based off the imported metadata only and has no knowledge of the old <PartnerIdentityProvider> entry.

If you're seeing something different, please email us at [email protected] your saml.config prior to the metadata import, the metadata XML being imported, and the updated saml.config so we can reproduce what you're seeing.

Regards
ComponentSpace Development
fabio
fabio
New Member
New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)New Member (26 reputation)

Group: Forum Members
Posts: 20, Visits: 88
ComponentSpace - 1/18/2022
Hi Fabio,

The import is a replacement operation rather than a merge.

We delete the <PartnerIdentityProvider> entry before adding a new <PartnerIdentityProvider> entry.

This means any old <Certificate> entries etc are removed.

The new <PartnerIdentityProvider> entry is based off the imported metadata only and has no knowledge of the old <PartnerIdentityProvider> entry.

If you're seeing something different, please email us at [email protected] your saml.config prior to the metadata import, the metadata XML being imported, and the updated saml.config so we can reproduce what you're seeing.

Hi,
I just sent an email to the support, as requested.

Thank you,
Fabio
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)ComponentSpace Development (4.1K reputation)

Group: Administrators
Posts: 3K, Visits: 9.8K
Thank you for sending these files.

The saml.config files match exactly what I would expect given the corresponding SAML metadata.

The updated metadata is the same as the original except for the inclusion of the second signing certificate.

The updated saml.config is the same as the original except for the inclusion of the second signing certificate.

Everything looks to be working as expected.

As I’ve mentioned, MetadataImporter.ImportIdentityProviders is a replacement rather than a merge operation.

It removes any current configuration for the partner identity provider before importing it.

MetadataImporter.ImportIdentityProviders produces the same result whether the SAML configuration already has a configuration for the partner identity provider or not.

The reason the updated saml.config includes two signing certificates is because the new SAML metadata includes two signing certificates.


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Social Logins

Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search