locked
Which Certificate are safe to send RRS feed

  • Question

  • Hi

    We are going to use our ADFS Service to authenticate a SaaS solution.
    Now I am asked to deliver some certificates to establish the trust.

    I already send the token-decryption certificate (of course without the private key).
    Now they ask me to also send the token-signing cert as well.

    Can you please tell me what is the best practice, respectively what is safe to send to external partners for the trust?

    Thanks.

    Thursday, November 26, 2015 4:11 PM

Answers

  • You should never send individual encryption and signing certificates.

    This information is in the metadata and that's all you need to send.

    Thursday, November 26, 2015 11:58 PM
  • Hi Matz-i,

    Typically you will send the public key of your Token Signing certificate. The Token decryption certificate will only be required if the SP (Service Provider) will encrypt assertions/claims.

    Note that the public keys of all those certificates are publicly available:

    Service Communication - public key is transmitted when you establish an HTTPS session

    Token decryption/token signing - public key is published in your federation metadata

    Good luck!

    Shane

    Thursday, November 26, 2015 6:54 PM

All replies

  • Hi Matz-i,

    Typically you will send the public key of your Token Signing certificate. The Token decryption certificate will only be required if the SP (Service Provider) will encrypt assertions/claims.

    Note that the public keys of all those certificates are publicly available:

    Service Communication - public key is transmitted when you establish an HTTPS session

    Token decryption/token signing - public key is published in your federation metadata

    Good luck!

    Shane

    Thursday, November 26, 2015 6:54 PM
  • You should never send individual encryption and signing certificates.

    This information is in the metadata and that's all you need to send.

    Thursday, November 26, 2015 11:58 PM
  • Thanks Shane for the easy explanation.
    Friday, November 27, 2015 3:15 PM
  • Hey Nzpcmad1

    Thanks as well, found the information under 
    https://adfs.xyz.com/FederationMetadata/2007-06/FederationMetadata.xml

    This particular trust wants me to send the certificates tho.

     

    Friday, November 27, 2015 3:17 PM