Service X509Certificate Configuration

Topics: Security
Mar 12, 2007 at 5:31 PM
Could someone provide the reasoning or use of each of the X509 certificates from each STS and service? How do they relate to one another (e.g. AuthSTS has CERT1, AuthZSTS references CERT1 and has CERT2, etc...)? Which ones could/should be unique?

Btw, this is a fabulous web application sample. I have picked up so many tricks just looking through the source and trying to understand how it all relates and interacts.
Mar 13, 2007 at 3:31 PM
The Authorization STS trusts on the Authentication STS and not necessarily the other way around.
Please take a look at this post by Matias Woloski that explains in detail how the Federated security scenario is implemented on LitwareHR application. This WCF federated security sample might help too.

Ariel Schapiro
Mar 14, 2007 at 3:04 PM
What I was really looking for were possible unique certs and who had what reference. I think I understand this now, but that's only after working up my own sample of federated STS.

For example, what cert does the AuthorizationSTS own, which ones does it reference, then the same for the AuthorizationSTS and finally the actual services.

I am interested in this because I need to know how many requests for certs I need to send to our PKI team and where each cert will be stored and owned and who/what needs the public key installed.
Mar 28, 2007 at 5:55 PM
Edited Mar 30, 2007 at 7:24 AM
These are the certifcates that you need:
  • AuthenticationSTS:
    • You need a certificate (A) to sign the SAML token (on LocalMachine store).
  • AuthorizationSTS:
    • You need the public key of the AuthenticationSTS certificate (A) to verify the samltoken was issued by the AuthenticationSTS (on Trusted People).
    • You need the public key of the certificates (B) that the services use. This key will allow you to encrypt the SAML token. (on Trusted People)
    • You need a certificate (C) to sign the SAML token. (on LocalMachine)
  • Services:
    • You need a certificate (B) to decrypt the SAML token encrypted by the AuthorizationSTS on the service and extract the claims. (on LocalMachine)
    • You need the public key of the certificate (C) to verify the samltoken was issued by the AuthorizationSTS (on Trusted People)

You can actually have a different certificate for each services. That's why the Authorization STS have the <scopedCertificates> section on the config file.

Let me know if this helps
Mar 28, 2007 at 8:04 PM
That is exactly what I was looking for. I eventually figured it out through the code, config, and writing my own set of services. Thank you very much though, I'm sure this will help someone else trying to implement an STS.