I'm currently trying to migrate our SAML portal from v2.0.6 to v3.7.0 and I'm running into some issues with our custom code. First a brief background.AbstractSamlConfigurationResolverAbstractSamlConfigurationResolverAbstractSamlConfigurationResolver
1. We have bot a local SP and a local IDP. These are defined in the configuration via appSettings.json. The local certificates are stored in Azure Key Vault and they are self-signed.
2. For our local SP we support a vast number of partner IDP's and we need a quite dynamic configuration support. Therefor we have a custom ISamlConfigurationResolver that is derived from AbstractSamlConfigurationResolver. This custom ISamlConfigurationResolver resolves our local IDP and SP from the configuration, while the partner IDP's are stored in a database. The partner IDP's metadata is persisted by serializing the PartnerIdentityProviderConfiguration instance that is mainly obtained via MetadataToConfiguration.ImportUrlAsync.
Now to the current issue at hand.
To expose our own SP Metadata, we generate it on the fly from the current configuration. This is done in a MVC action by utilizing the ConfigurationToMetadata class.
Previously we initated a standalone ConfigurationToMetadata instance and used the Export(SamlConfiguration, X509Certificate2, X509Certificate2) function by feeding a SAMLConfiguration instance that we obtained via the ISamlConfigurationResolver.GetLocalServiceProviderConfigurationAsync(string ConfigurationID). Before export we hade to load the certificates manually via the ICertificateLoader though to feed into the Export() function.
Now the ConfigurationToMetadata has been changed and requires a ISamlConfigurationResolver and ICertificateManager instances in its constructor. Fair enough an easy change and the Export(...) function is now changed to ExportAsync(string configurationID) which means we don't have to manually fetch the configuration and load certificates.
The problem though is that the certificates are now being validated which results in an exception for the self-signed IDP and SP certificates.
ComponentSpace.Saml2.Exceptions.SamlCertificateException : The X.509 certificate with subject name CN=xxx, O=yyy, C=SE, serial number AAAAAA and thumbprint BBBBBB failed to validate.
Is there any way to diabled the certificate validation during the configuration export to metadata format?
After some further digging it seems this might be "platform" dependent as I am running my development stack on macOS 10.15.7. The output below points to this being an issue.
The certificate failed to load using the flags MachineKeySet, Exportable, EphemeralKeySet.
System.PlatformNotSupportedException: This platform does not support loading with EphemeralKeySet. Remove the flag to allow keys to be temporarily created on disk.
at Internal.Cryptography.Pal.AppleCertificatePal.FromBlob(Byte rawData, SafePasswordHandle password, X509KeyStorageFlags keyStorageFlags)
at System.Security.Cryptography.X509Certificates.X509Certificate..ctor(Byte rawData, String password, X509KeyStorageFlags keyStorageFlags)
at ComponentSpace.Saml2.Certificates.CertificateLoader.LoadCertificate(Byte certificateBytes, String certificateFile, String certificatePassword)
ComponentSpace.Saml2.Certificates.CertificateLoader: Debug: The certificate failed to load using the flags MachineKeySet, Exportable, EphemeralKeySet.