Is it possible to sign a SAML 2.0 post with a self-signed certificate? I am in charge of implementing a new SSO procedure with a vendor using SAML 2.0 and we trying to determine if we can sign the SAML post with a self-signed certificate or if we need to buy one.
If we can use a self-signed certificate, does the Service Provider need to do any additional steps to verify the signature? We are creating the SAML 2.0 post as the Identity Provider.
Thanks in advance.
Yes, I assume you mean signing the Assertion that is returned via POST binding (see SAML 2.0 Profiles, section 4.1.4.5). The SAML 2.0 specification mandates it be signed for SSO, but doesn't get into specifics of CA signed vs. self-signed.
Check with your software (both IdP and SP side) to see what is supported - some have limitations in this regard.
The SAML spec actually recommends that you use long-lived self-signed certificates. See this document for more info
Related
I'm a Service Provider, and the SME for the Identity Provider has specified that they require that the SP provide them a certificate different from the standard server certificate.
Every SSO Integration I've accomplished so far has had the IdP provide me with the certificate.
Is a SP able create and provide a separate certificate to the IdP?
Currently, the IdP SME is advising that unless I can provide this, he won't enable Solicited SSO(SP-Initiated SSO).
I am trying to integrate SAML in an ongoing project for one of our clients. I am new to Okta and its services. The only thing, the client wants to input okta URL and upload certificate in the admin panel. Rest I have to create a login module using okta. My question is what is the use of a certificate? How can I use that certificate in the project? If possible please share any info on how to develop this in PHP preferable.
Two reasons a client ( presumably the application requiring SSO with Okta ) would provide you with a certificate.
1) They are signing the SAML Request, in which case you need to be able to verify the signature. I don't believe OKta supports signed requests, which would rule this out.
2) They want the SAML Response encrypted. In which case you would include the public key provided in the Okta application configuration.
Niall
Background:
1. Originally SAML based on the ADFS works fine, but after the ADFS certificate update, it can't work fine. Since the certificate of the ADFS will be expired, so we update the certificate, but unfortunately can not work fine with updated certificate ADFS
The exception is "Signature is not trusted or invalid" which thrown in the spring SAML. Does there exist some especially needed to be noticed when update the ADFS certificate?
You need to regenerate the Identity provider (IDP) XML file i.e federation-metadata.xml and exchange with the client i.e Service provider. As you mentioned that ADFS certificates were expired and you reconfigured the new certificates, so those play a significant role for encryption and signing of assertions issued from the IDP based on how the system is configured. You have made the changes on the IDP side but on SP side still, old federation-metadata.xml is in use with old certificates. When IDP issued assertions or response, that response is validated by using those certificates. When you regenerate that file it will contain the latest details related to certificates. So you need to regenerate the federation-metadata.xml and share with the service provider (SP) in order to fix the issue.
I am trying to implement SSO for a service and using ADFS and PingFederate as IDP.
SSO works when I avoid signing the AuthRequest (both with ADFS and PingFederate), but fails with following error "SAML Message has wrong signature. Issuer: 'My SP entityID' " when AuthRequest is signed.
I had updated corresponding Relying trust part with certificate of my SP. I think, i am doing something wrong in the IDP configuration. Any help is appreciated.
I had tried this answer without any luck: MSIS0038: SAML Message has wrong signature - ADFS error
This error on ADFS is received when the AuthnRequest is signed but the SP's certificate configured is incorrect. Make sure that you have provided the correct certificate, go to Relying Party Properties > Signature tab. You should see the certificate provided by you. Verify the thumbprint to be sure.
Also, if you are sending the SAMLRequest as a query parameter (HTTP-Redirect binding), make sure you are using the SHA1 certificate for signing the AuthnRequest. Signing using the SHA256 certificate is not supported in HTTP-Redirect binding by ADFS.
I am Authenticating all my users through a Microsoft product using SAML 2.0 with a X509 Certificate. The certificate is close to expiration, and I am not sure if after the certificate expires, my Service Providers will continue accepting my tokens.
I am very VERY new to SAML and SSO in general, so my apologies for not using the right terms.
If your Service Providers are compliant to the specification they will stop processing your SAML messages (Responses) once your signing certificate expires.
Unfortunately, there is no easy way to tell ahead of time. You will probably need to contact each one to find out how they handle this situation -- homegrown solutions may be more lenient than commercial products in this regard and allow SSO transactions to continue.