ComponentSpace

Forums



Read the certificate from Azure key vault and SP authentication scenario


Read the certificate from Azure key vault and SP authentication...

Author
Message
milindnikam
milindnikam
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 19
Hello Team,

Dotnet version : 4.7.2

We are currently using ComponentSpace.SAML2 with version 3.2.0.0 for SP initiative flow and it is working. In this case, we are storing the certificate in the local IIS directory and setting the file path LocalCertificateFile.

Now We have one new requirement to read the certificate from Azure Key Vault and use that certificate in the Service provider initiative flow authentication work.

I have read the certificate from the Azure key vault but in this case, we have got the X509Certificate2 object.

How to configure the properties for SAML

Could you please help with this? 

Code 

     var clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
      var certificateClient = new CertificateClient(new Uri(keyVaultUrl), clientCredential);
      try
      {
       // Retrieve the certificate
       KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);

       // Extract the public X.509 certificate
       X509Certificate2 x509Certificate = new X509Certificate2(certificate.Cer);

       localCertificateThumbprint = x509Certificate.Thumbprint;

       localCertificateSubject = x509Certificate.Subject;

       localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Cert));

       localString = Convert.ToBase64String(new X509Certificate2(Encoding.ASCII.GetBytes(localString)).RawData);

      }
      catch (Exception ex)
      {
       // Handle exceptions
       // ex.Message contains error details
      }

      LocalServiceProviderConfiguration localServiceProvider = GetLocalServiceProviderConfiguration(configurationID);
      //localServiceProvider.LocalCertificateString = localString;
      //localServiceProvider.LocalCertificateFile = localString;
      localServiceProvider.LocalCertificateString = localString;
      localServiceProvider.LocalCertificateThumbprint = localCertificateThumbprint;
      localServiceProvider.LocalCertificateSubject = localCertificateSubject;
     


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
You need to include the private key in the exported certificate.

For example:


var certificateString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12));



You can then specify this through the LocalCertificateString property.


localServiceProvider.LocalCertificateString = certificateString;



Don't specify other properties such as LocalCertificateThumbprint etc.

Later releases of the SAML library have more direct support for the Azure key vault as described in the applicable Certificate Guide.

Regards
ComponentSpace Development
milindnikam
milindnikam
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 19

I have uploaded the .pfx file on Azure Key Vault. 
In above code, I have made the changes 
try
      {
       // Retrieve the certificate
       KeyVaultCertificateWithPolicy certificate = certificateClient.GetCertificate(certificateName);
       // Extract the public X.509 certificate
       X509Certificate2 x509Certificate = new X509Certificate2(certificate.Cer);
       //localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12));
      //both option checked
       localString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pfx));
      }
      catch (Exception ex)
      {
       // Handle exceptions
       // ex.Message contains error details
      }

      localServiceProvider.LocalCertificateString = localString;
      localServiceProvider.LocalCertificatePassword = "xxx";

ComponentSpace.SAML2.Exceptions.SAMLCertificateException: 'The X.509 certificate could not be loaded from the string "' CryptographicException: The specified network password is not correct.

But I have checked password is correct which is same as to file path scenario from local

Could you please help on this.

Thanks 


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The certificate file password is only relevant for loading the certificate from the file.

If you wish to password protect the exported certificate, you need to use the Export method overload that takes a password.

For example:


var certificateString = Convert.ToBase64String(x509Certificate.Export(X509ContentType.Pkcs12, "topsecret"));



You then specify both the LocalCertificateString and LocalCertificatePassword.


localServiceProvider.LocalCertificateString = certificateString;
localServiceProvider.LocalCertificatePassword = "topsecret";



For more information, please refer to the Microsoft documentation on the X509Certificate.Export method.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search