locked
Separate decryption certificate per claims provider RRS feed

  • Question

  • Hi,

    I would like to know if its possible to have separate decryption certificates for claim providers set up on ADFS.
    The scenario I have is we will have a few different companies issue claims to us which will then be passed on to our own RP.
    The problem we're facing is come rollover time it is going to extremely difficult to schedule between multiple organisations.

    Regards,
    Jon

    Thursday, February 16, 2017 11:43 PM

Answers

  • Hi Jon,

    As far as I understand, when those companies send claims to you, they use your public key, which is the same throughout your ADFS-farm. This is one of the main concepts of Public Key Infrastructure, that a message is encrypted with receiver's public key. I do not know a method to set a token-decryption certificate in ADFS per claims-provider basis.

    As for encryption certificate in a claims provider properties, it is used when your ADFS sends a request to the said CP. Your ADFS sends a request to a CP when a user tries to access your ADFS-enabled service and does not have proper cookies.

    In the real world, though, claims a rarely encrypted: usually HTTPS is used which effectively encrypts the whole logon session, including claims. Therefore, you may disable token encryption completely if all your RPs/IdPs use HTTPS endpoints.

    See more about ADFS certificates here: https://blogs.technet.microsoft.com/askpfeplat/2015/01/26/adfs-deep-dive-certificate-planning/



    https://exchange12rocks.org/ | http://about.me/exchange12rocks


    • Edited by Kirill Nikolaev Saturday, February 18, 2017 11:44 PM
    • Marked as answer by Jon.S Monday, February 20, 2017 1:50 AM
    Saturday, February 18, 2017 11:42 PM

All replies

  • Sorry, I'd also like to add this question.

    In what scenario is a encryption certificate used on a claim provider?

    Saturday, February 18, 2017 7:10 AM
  • Hi Jon,

    As far as I understand, when those companies send claims to you, they use your public key, which is the same throughout your ADFS-farm. This is one of the main concepts of Public Key Infrastructure, that a message is encrypted with receiver's public key. I do not know a method to set a token-decryption certificate in ADFS per claims-provider basis.

    As for encryption certificate in a claims provider properties, it is used when your ADFS sends a request to the said CP. Your ADFS sends a request to a CP when a user tries to access your ADFS-enabled service and does not have proper cookies.

    In the real world, though, claims a rarely encrypted: usually HTTPS is used which effectively encrypts the whole logon session, including claims. Therefore, you may disable token encryption completely if all your RPs/IdPs use HTTPS endpoints.

    See more about ADFS certificates here: https://blogs.technet.microsoft.com/askpfeplat/2015/01/26/adfs-deep-dive-certificate-planning/



    https://exchange12rocks.org/ | http://about.me/exchange12rocks


    • Edited by Kirill Nikolaev Saturday, February 18, 2017 11:44 PM
    • Marked as answer by Jon.S Monday, February 20, 2017 1:50 AM
    Saturday, February 18, 2017 11:42 PM
  • Kirill,

    I've since ran a test lab environment and can confirm what you've said to be correct.
    I did suspect that to be the case but I was hoping there was something I was missing.

    Thanks for that.

    Cheers,
    Jon

    Monday, February 20, 2017 1:50 AM