Why is a publicly recognized certificate recommended for SAML authentication in Azure AD B2C ?

Masayoshi Sawada 1 Reputation point
2022-11-01T08:38:58.41+00:00

SAML authentication is implemented in Azure AD B2C; a certificate must be set up in Azure AD B2C, and the documentation recommends using a certificate issued by a public certificate authority. What is the reason for this?

In a production environment, we recommend using certificates that a public certificate authority has issued. But you can also complete this procedure with self-signed certificates.

There should be no need to externally verify the validity of the certificate in SAML authentication. Also, considering the case where certificates are periodically renewed for security reasons, it seems redundant to use certificates issued by an external public certification authority.

Google Workspace, for example, states in its documentation to use self-signed certificates.

Why does Azure AD B2C recommend using certificates issued by public certificate authorities?

Microsoft Entra External ID
Microsoft Entra External ID
A modern identity solution for securing access to customer, citizen and partner-facing apps and services. It is the converged platform of Azure AD External Identities B2B and B2C. Replaces Azure Active Directory External Identities.
2,752 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,448 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,066 Reputation points
    2022-11-01T09:20:40.5+00:00

    Hi,

    I am assuming it is a Microsoft way of giving you an option and preferences as each customers requirements is different and some prefer to use custom/Public Certificates instead of self signed Certificates. I will not go deep into the nitty gritty of Security aspects as with on field experience I have noticed many prefer custom public Certificates instead of self signed ones. However if you feel it is not correct and should be addressed I will suggest you to raise a feedback over here.

    Hope this helps.
    JS

    ==
    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    0 comments No comments