By lassoued - 12/8/2021
We have just been informed by our client who using ADFS Idp, and we are SP for the SSO.
The certificate (token signing certificate) currently used by their ADFS IdP will soonly be expired.
But in our side we only using a local (sp.pfx) certificate to sign the authentication request with componentspace api like this:
I don't understand why and which cert should we update from our side ...
The relying party in ADFS idp is configured to sign with the cer certificate like below:
Encryption certificate: not configured
In the ADFS console ,the client have the token signing cert that will expire soon
Thank you in advance
By ComponentSpace - 12/10/2021
Yes. The certificate is embedded by ADFS when it signs the SAML assertion.
If it were a CA issued certificate you could perhaps trust this certificate as long as the certificate chain was valid and the subject DN correct. However, by default ADFS and many other providers use self-signed certificates so they can't be trusted directly. You need to have received the certificate previously from a trusted source.
We find the embedded certificate useful when debugging signature verification failures. If the embedded certificate doesn't match the configured certificate used to perform the signature verification it means the IdP has rolled over to a new certificate and the SP needs to update its configuration with the new certificate from the IdP.