IdP metadata 2 certificates: 1st is to sign the metadata themselves, 2nd to sign the SAML response

Forums, Documentation & Knowledge Base - ComponentSpace

IdP metadata 2 certificates: 1st is to sign the metadata themselves, 2nd to sign the SAML response

https://componentspace.com/forums/Topic11583.aspx

By mlam - 5/24/2021

Hi
The IdP (PingFederate) metadata will contain 2 certificates: the first is to sign the metadata themselves, the second to sign the SAML response.

From the SAML.config. I only can see PartnerIdentityProvider. May I know how to configure the above into the SAML.config?

<PartnerIdentityProvider Name="x"
          Description="xxx"
          SignAuthnRequest="true"
          SingleSignOnServiceUrl="https://xx.com"
          PartnerCertificateFile="Certificates\LIVE\x.cer"/>

By ComponentSpace - 5/25/2021

The saml.config doesn't include the certificate to verify the metadata signature. The PartnerCertificateFile specifies the certificate to use to verify signatures on SAML messages send by the IdP.