ComponentSpace

Forums



PartnerCertificates in PartnerProviderConfiguration can handle both expired and non-expired...


PartnerCertificates in PartnerProviderConfiguration can handle both...

Author
Message
ganeshsivam
ganeshsivam
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
Hi,
Can PartnerCertificates in PartnerIdentityProviderConfiguration handle both expired and non-expired certificates to validate the SAML Assertion?

We have a scenario where the existing certificate can expire in the future and want to add support to load the backup certificate (with a long expiry date than the existing one) in PartnerCertificates. So that if the SAML Assertion validation fails with the expired certificate, Can ComponentSpace SAML validate with other certificates (non-expired ones) from the list of PartnerCertificates?

When I have both 
expired and non-expired certificates in PartnerCertificates
, receiving the following error:

ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate could not be loaded from the string.
---> ComponentSpace.Saml2.Exceptions.SamlCertificateException: The X.509 certificate with subject name E=[email protected], CN=test, OU=SSOProvider, O=idp, L=San Francisco, S=California, C=US, serial number 00B08FEA3C1A0CFC68 and thumbprint 5E101179FC71B1A61312EE0D945A1BECD4216EE0 failed to validate.
 at ComponentSpace.Saml2.Certificates.CertificateLoader.ValidateCertificate(X509Certificate2 x509Certificate)
 at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
 --- End of inner exception stack trace ---
 at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
 at ComponentSpace.Saml2.Certificates.AbstractCachedCertificateLoader.LoadCertificateFromStringAsync(String certificateString, String certificatePassword)
 at ComponentSpace.Saml2.Certificates.CertificateManager.LoadCertificatesAsync(IList`1 certificates, CertificateUse certificateUse)
 at ComponentSpace.Saml2.Certificates.CertificateManager.GetPartnerIdentityProviderCertificatesAsync(PartnerIdentityProviderConfiguration partnerIdentityProviderConfiguration, CertificateUse certificateUse)
 at ComponentSpace.Saml2.SamlServiceProvider.GetPartnerProviderSignatureCertificatesAsync(Boolean precondition)
 at ComponentSpace.Saml2.SamlServiceProvider.VerifySamlResponseSignatureAsync(XmlElement samlResponseElement)
 at ComponentSpace.Saml2.SamlServiceProvider.ProcessSamlResponseAsync(XmlElement samlResponseElement, String relayState)
 at ComponentSpace.Saml2.SamlServiceProvider.ReceiveSsoAsync()


Please, advise.
Thanks


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
By default we check for expired certificates.

This check can be turned off through the CertificateValidationOptions.


using ComponentSpace.Saml2.Certificates;
using ComponentSpace.Saml2.Configuration;
using ComponentSpace.Saml2.Session;

services.Configure<CertificateValidationOptions>(options =>
{
  options.EnableNotAfterCheck= false;
});

// Add SAML SSO services.
services.AddSaml(Configuration.GetSection("SAML"));





Regards
ComponentSpace Development
ganeshsivam
ganeshsivam
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
Thanks for replying.
As I understand from your reply is that the feature isn't available from ComponentSpace SAML. Am I right?
If so, why there is a list of PartnerCertificates? In my case, it has both expired and non-expired certificates in it and ComponentSpace SAML could evaluate each certificate and validate the incoming SAML Assertion before throwing that none of the certificates in PartnerCertificates are valid.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to turn off the certificate validation for this to work.

We will consider changing this functionality in a future release so this isn't necessary.

Regards
ComponentSpace Development
[email protected]
mzimmerman@accruent.com
New Member
New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)New Member (6 reputation)

Group: Forum Members
Posts: 5, Visits: 21
This would also be useful functionality for my org. I'm surprised that having expired and non-expired certs wasn't thought of in the original implementation. And the exception message isn't obvious at all. As the previous poster indicated, this defeats the purpose of supporting a list of certificates. Why wouldn't it validate only the certificate in the current request? 

The current implementation is causing problems for my customers, so we've created a custom implementation of ISamlConfigurationResolver to remove the expired certs from the list before ComponentSpace tries to validate them. Hope that workaround can help others struggling with this issue.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thank you for your feedback.

We'll look to include more specific exception messages (eg certificate has expired rather than certificate failed to validate).

I'd like to see what you think of the following.

Suppose there are two partner certificates configured - one has expired and the other hasn't.

If a SAML response is received that's signed with the unexpired certificate, this should succeed.

However, if a SAML response is received that's signed with the expired certificate, what should happen? If certificate validation is enabled, we'll throw an exception and SSO will fail. If certificate validation has been turned off, signature verification and SSO should succeed.

What do you think?

Regards
ComponentSpace Development
ganeshsivam
ganeshsivam
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
ComponentSpace - 11/28/2022
Thank you for your feedback.

We'll look to include more specific exception messages (eg certificate has expired rather than certificate failed to validate).

I'd like to see what you think of the following.

Suppose there are two partner certificates configured - one has expired and the other hasn't.

If a SAML response is received that's signed with the unexpired certificate, this should succeed.

However, if a SAML response is received that's signed with the expired certificate, what should happen? If certificate validation is enabled, we'll throw an exception and SSO will fail. If certificate validation has been turned off, signature verification and SSO should succeed.

What do you think?

If certificate validation has been turned on and before throwing an error, the ComponentSpace could validate the incoming SAMLResponse with the certificates (both expired and non-expired) from the list of PartnerCertificates.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Yes, but if certificate validation is enabled and the SAML response is signed using the expired certificate, what should we do? I'm suggesting we throw an exception and the SSO fails.

Regards
ComponentSpace Development
ganeshsivam
ganeshsivam
New Member
New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)New Member (10 reputation)

Group: Forum Members
Posts: 8, Visits: 40
ComponentSpace - 11/28/2022
Yes, but if certificate validation is enabled and the SAML response is signed using the expired certificate, what should we do? I'm suggesting we throw an exception and the SSO fails.

In that case, we should still fail because the certificate is expired.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We're in agreement. I'll wait to hear back from the other poster as well.


Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 3 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search