Forums, Documentation & Knowledge Base - ComponentSpace

IDP metadata has primary and secondary signing certificates


https://www.componentspace.com/forums/Topic11125.aspx

By rogerr - 8/27/2020

Not sure if this is a configuration error on the part of the IDP i am trying to use (ADFS) or not but the situation is this.

I am running an component space service provider in my asp.net/mvc site.  component space version is 4.3.0.0

At startup it imports metadata for the IDP using the  MetadataImporter.ImportIdentityProviders method to import a single provider from a URL.

The metadata contains 2 certificates with use="signing" attributes.  One is the providers "primary" cert, the other is its "secondary" certificate.
The order is primary followed by secondary.  Both have the same subject name.

After importing the metadata, there is only one certificate in the certificates folder, and it is that of the secondary certificate.
When the IPD sends a saml response, it is signing it with the primary certificate.

As a result, unless i set the  UseEmbeddedCertificate to true for the provider config, i get a signature verification error when the response is processed.

So my questions are
- is it considered legit or bad practice to set UseEmbeddedCertificate to true?   
  it seems like for maximum security, we should be relying only on the metadata that has been exchanged, not what is in the current request, right?
- is there a way to control which certificate is imported from the metadata if they have the same subject name,  or have it go ahead and import both versions and then try them both or something?
- is this a common situation, hence the availability of the UseEmbeddedCertificate option,  or is this really an error on the part of the IDP setup.  like maybe they shouldn't use the same subject name for both primary and secondary certificates or something.


Thanks 

roger

By ComponentSpace - 8/27/2020

Thanks. This is a limitation in how we create the certificate file names. I'll email you a download link to a beta that removes this limitation.