1

I am using multiple Identity Providers in my application. The SAML Login and Assertion is working absolutely fine. My question is regarding signing the SAML messages using the certificates.

  1. I am storing the certificate for each Idp in the database and want to load it at the runtime. In the Demo application, the certificate is saved on the physical path and loaded using,

    CertificateUtil.Load

    This method has 5 overloads but it asks for the path where the certificate is stored. Can I use the method,

    CertificateUtil.LoadBytes

    to load the certificate from the string? Because I can't see any example for that?

  2. The certificate needs to be installed on the system?

Adnan Yaseen
  • 833
  • 1
  • 15
  • 44

1 Answers1

1

You can save the certificate in the database as a base64 encode string.

To create a base64 encode string from a certificate file (including the private key):

var certificate = ITfoxtec.Identity.Saml2.Util.CertificateUtil.Load("... certificate file path ...", "... password ...", X509KeyStorageFlags.Exportable | X509KeyStorageFlags.PersistKeySet);
var base64EncodeCertificate = Convert.ToBase64String(certificate.Export(X509ContentType.Pfx));

To get a certificate from a base64 encode string:

var certificate = new X509Certificate2(Convert.FromBase64String(base64EncodeCertificate));
Anders Revsgaard
  • 3,636
  • 1
  • 9
  • 25
  • 1
    Thanks for the answer. I have loaded the certificate with Base64 string. The issue is that I am unable to sign the request using the certificate. I have checked your answer from here https://stackoverflow.com/a/57495219/1361888 From where I get the private key? Do I need to generate it myself? – Adnan Yaseen Apr 26 '21 at 13:07
  • I have corrected the answer to both export the public and private key. – Anders Revsgaard Apr 26 '21 at 13:29
  • 1
    Sorry I was not able to explain properly. In the database, I have stored the certificate as Base64 encoded string. Do I need to save this encoded string as a file on the filesystem to be loaded? – Adnan Yaseen Apr 26 '21 at 14:15
  • You kan just new up the X509Certificate2 based on the base64 string, you do not need a file. – Anders Revsgaard Apr 27 '21 at 07:06