2

I created a SAML2 Identity Provider using ComponentSpace's .net library. We have a 3rd party app that will act as the Service Provider.

I know that X.509 certificates are used, but who creates the certificates? The Identity Provider, the Service Provider. Or do they each create their own?

John-Luke Laue
  • 3,736
  • 3
  • 32
  • 60

1 Answers1

1

ComponentSpace comes with some self-signed certificates that you can use to get started.

You need to create the certificates on the SP side.

On the IDP side, the IDP will have its own certificates that it creates.

ADFS e.g. will create its own if configured to do that but you can upload your own if you want.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • 2
    The [Certificate Guide](https://www.componentspace.com/Forums/9349/Certificate-Guide) documents a number of ways to create self-signed certificates. It's also worth noting that as the SP you don't necessarily need a certificate. It's required if you are going to sign SAML messages or if the SAML assertion is to be encrypted. – ComponentSpace May 02 '19 at 23:13
  • So, for example, I (as the Identity Provider) create a self-signed certificate "idp.pfx" with public key xyz. I also create "idp.cer" and put the xyz public key inside it. I store both "idp.pfx" and "idp.cer" locally (say, under my /Certificates folder). I then give a Service Provider a copy of "idp.cer" (the public key). The reverse is also done if we are going to "sign SAML messages or if the SAML assertion is to be encrypted" as you said. Do I have this right? Thanks! – John-Luke Laue May 03 '19 at 00:37
  • @ComponentSpace or wait...is the public key provided in the metadata? – John-Luke Laue May 03 '19 at 01:03
  • The certificate which includes the public key is typically provided as part of the metadata , typically within element KeyDescriptor If signature or encryption is used, you always need a key pair ... a certificate enclosing the public key is not enough. – Bernhard Thalmayr May 03 '19 at 07:16
  • 1
    @johnluke.laue Your understanding is correct. Sorry, I mis-read your original question and thought you were acting as the SP. As the IdP you will have a private key and supply SPs with the corresponding public key. SAML messages you send will be signed with your private key. SPs will verify the signatures using your public key. Public keys may be distributed as certificate files (typically .CER on Windows) or preferably as part of your SAML metadata. It's unlikely SPs will require the SAML assertion to be encrypted, but if that's the case you encrypt with the SP's public key. – ComponentSpace May 03 '19 at 22:31