locked
Token Decrypting Cert RRS feed

  • Question

  • Hi Team,

    Good afternoon,

    1: Can someone please shed some lights on Decrypting cert on ADFS ?

    I have only one application federated in our environment Office 365, how it will use there , I know when ADFS sends token to o365 it signs the token using signing cert . 

    2: How we can share token signing and decrypting cert with office 365 ?

    Thanks..

    Wednesday, December 12, 2018 9:41 AM

Answers

  • Yes, only if you federate ADFS with another STS (ADFS or third-party). But you switched who does what in your summary.

    Settings:
    - Application A trusts ADFS A
    - ADFS A has a Relying Party Trust for Application A
    - ADFS A has a Claim Provider Trust for ADFS B
    - ADFS B has a Relying Party Trust for ADFS A

    User from B connect to Application A (let's call it RP A).

    RP A doesn't know the user and redirects it to ADFS A.

    ADFS A prompt the user with the Home Realm Discovery page. The user B pick the icon which redirects it to ADFS B.

    ADFS B authenticates the user and issue a token for ADFS A encrypted with the Public Key of the Token Decrypting certificate of ADFS A.

    The User B presents this token to ADFS A. ADFS A decrypts it since it has the associated private key.

    ADFS A issue a token for RP A.

    The User B presents this token to RP A.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by aka_Sunny Monday, December 17, 2018 1:50 PM
    Saturday, December 15, 2018 2:00 AM

All replies

  • The private key associated with the ADFS Token Decrypting certificate is used by ADFS to decrypt the token it receives from other Claim Providers. It is not used with Relying Party Trusts.

    If you do not have another Claim Provider Trusts than Active Directory in your ADFS farm, you do not use this certificate.

    All public keys are available in the federationmetadata.xml file. The actual certificates are in there (base64 format). No encryption necessary, it is public key material.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 14, 2018 1:51 PM
  • About the NEVER share certificate statement. X509 certificates are signed public keys. They are public by nature.

    I think you meant you NEVER share the private key associated with a certificate. Privates keys are not stored in the certificate itself.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, December 14, 2018 1:53 PM
  • It means that, If I Company A has an application which is federated with Company B. We install ADFS on both sides. 

    user access to the application and request goes to Company A's ADFS server, which says you need to authenticate and redirect to Company B's ADFS server. Once the user is authenticated Company B's ADFS will send a token to company A's ADFS which is encrypted using Company B's token decryption certificate and we will decrypt the token sent by IDP or partner ADFS using our decrypting cert.

    Please correct me If I am wrong.


    Friday, December 14, 2018 6:28 PM
  • 'If you do not have another Claim Provider Trusts than Active Directory in your ADFS farm, you do not use [ADFS Token decrypting]. It is not used with Relying Party Trusts.'

    To your answer to this : RP can use this certificate. No they cannot.

    If you want to encrypt a token for a RP, you need a certificate (a public key) on the RP. Then you can use this public key to encrypt the token that only the owner of the associated private key (the application consuming the token) will have.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Saturday, December 15, 2018 1:55 AM
  • Yes, only if you federate ADFS with another STS (ADFS or third-party). But you switched who does what in your summary.

    Settings:
    - Application A trusts ADFS A
    - ADFS A has a Relying Party Trust for Application A
    - ADFS A has a Claim Provider Trust for ADFS B
    - ADFS B has a Relying Party Trust for ADFS A

    User from B connect to Application A (let's call it RP A).

    RP A doesn't know the user and redirects it to ADFS A.

    ADFS A prompt the user with the Home Realm Discovery page. The user B pick the icon which redirects it to ADFS B.

    ADFS B authenticates the user and issue a token for ADFS A encrypted with the Public Key of the Token Decrypting certificate of ADFS A.

    The User B presents this token to ADFS A. ADFS A decrypts it since it has the associated private key.

    ADFS A issue a token for RP A.

    The User B presents this token to RP A.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by aka_Sunny Monday, December 17, 2018 1:50 PM
    Saturday, December 15, 2018 2:00 AM