I'm using OpenSSO 8 which I haven't configured myself. It's fully configured and without any problems. My problem is that I need to find the issuer certificate used to validate digital signatures on the SAML credentials. Can you tell me where should I look for it?
You usually get the certificate in the metadata. Here is a link on how to exchange the metadata from OpenSSO
The certificates are actually stored in opensso/opensso folder and can be exported using keytool
Related
When setting up a SAML app in Google Workspace, a x509 certificate is automatically generated by Google. Is there any way to provide/upload a self-managed certificate for the SAML app instead of using the default x509 certificate auto-generated by Google?
The above is possible in other IdPs such as Azure.
I am afraid it is not possible. Google only allows you to use their own certificates created within the Admin console. You can check that there is no other option to manage the certificates in their official documentation. The only steps provided are related to how to create and delete the certificates from the Security section in the Admin console.
I have created a couple of API's and now I have to test them using Fiddler or any certificate friendly tools. The requests which are not having valid certificate must be rejected by the server.
Certificate Background
Here are the two certificate's issues by CA
I have one intermediate public certificate entitled as
MyIntermediate.cer
I have a private certificate for each device which will request my API to fetch data.
I have uploaded public certificate - MyIntermediate.cer to server [Azure APIM]
Now to test the API's, I have to use some tools like Fiddler or Postman or any other tool which supports certificate upload/reading from store
I do not see any options in these tools to upload or read from windows store. Here I need help
I see settings in postman but it seems like not for CA certificates because I do not have key file.
APIM Details
Azure API manager is the service provided by Microsoft. All the request will be processed by APIM. I have uploaded MyIntermediate.cer public certificate to APIM. So, to call GetCustomer someone has to have certificate which is trusted by MyIntermediate.cer.
You need to have "private certificate for each device" along with it's password (if it was saved with one) to make an authenticated call. If you want to rely on APIM's ability to validate certificate chain then you'll indeed need to upload intermediate certificate, and possible root certificate as well if it's not one of the public ones.
I have to develop a web application that is both secured over https and uses client authentication certificates. The clients are connecting via invitation, thus it is not intended for users stumbling upon this application by googling around.
The ideal would be to get an intermediate CA certificate form a public root authority and sign both the ssl certificate and use it to issue client authentication certificates. I think that won't work, as simply put I will never qualify for such an intermediate CA (as far as I know, but maybe I am wrong with that).
Second guess: create own Root CA, an intermediate CA and use them. Because of what I wrote about the users, I can embed the necessary certificate chain in the issued certificates. This technically works.
What I would prefer is to get an ssl certificate from public authority and to use my own chain to issue authentication certificates and verify the users. According to this it is possible. But I haven't found anything about how to configure IIS for example (or Kestrel) to request client certificates issued by a specific CA, even less some standard specification where this flow is described.
Here's the question:
Is there any benefit to securing a SAML assertion with a CA cert? I understand how using a CA cert is of benefit when establishing the SSL connection over which the SAML assertion is transported, but what about a CA cert for the PKI handshake that occurs when the SP accepts the SAML assertion itself? I have one side contending that within the SAML exchange there's no way for the SP to iterate through the chain of trust to the root CA cert, while on the other side I have someone saying that it can.
Bonus points if you can point me to an authoritative source that supports your answer.
If I understand you correctly you wonder if there is any point in using a certificate sign by a CA when signing the SAML assertion.
In my opinion you should not need this. When you establish the initial trust and exchange metadata you can include the public key of the entity in the metadata.
If you can trust that the exchange of metadata is secure, you can just verify the signature against the public key in metadata.
I can not see how a CA would give any value to this situation.
I agree too. Although in standard Shibboleth Metadata sharing mechanism (Federation) the whole published metadata block is sign by Federation certificate. So PKI may be (and probably is) used to distribute service and IdP metadata between security partners. But as Stefan wrote, there is no point in signing Assertion with Certificate signed by trusted CA
We are using JBoss 5.1. We have deployed a web service and wish to add certificate functionality. We have created a CA and a certificate signed by that CA (we used openssl and the java keytool to create the .keystore file). We imported both the CA and the certificate in the .keystore file and pointed the connector (in server.xml) on that .keystore:
The common name used for the CA is aname.com while the common name for the certificate is hostname. The validity period of the certificate is almost one year while for the CA is a little more.
Trying to access the web service url (https://hostname:8443/path_to_webservice) with Internet Explorer we get the error that our certificate is not issued by a trusted certificate authority.
When we select to view the certificate in the browser, we get a certificate that is issued for hostname, issued by hostname and its validity period is only 3 months. Obviously, the certificate we get from Internet Explorer is very different than the one we created.
How can I solve this issue? Is it a certificate issue or do I need to make some changes in JBoss?
Is it a certificate issue or do I need to make some changes in JBoss?
While I'm not able to provide you a precise answer, I'll provide you some guiding questions that may help you solve the problem :-) Are you able to import this certificate (the pem file, which you used to create the keystore file) in a browser? What about the fingerprint, does it looks the same as the one stored in the JBoss? Does this bogus certificate reminds you of any previous attempt?
I'd say that this is most certainly a problem with the certificate itself, as I don't believe JBoss is able to fake your certificate :-)