Azure B2C and Multiple certificates

Question

Azure B2C and Multiple certificates

Gola, Mariusz 45

Hi,

In Azure B2C is there a way to publish the new certificate in parallel with the old certificate in the metadata, so SPs have time to update before rolling over to the new certificate. We have few SP that have the x509 hard coded in config files. What is the best practice?

thank you

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-14T23:02:10.2633333+00:00

@Gola, Mariusz

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Gola, Mariusz 45 Reputation points

2023-09-18T17:51:15.6033333+00:00

Hi,

Thank you for the answers, but I get that I can add multiple keys to the key container for the rollover. What I can't figure out is how to expose/use and both keys in the metadata similar to how ADFS handles it. ADFS has two certificates for rollover from secondary to primary. There is a period when both are valid so that SPs have time to make the change. You can use either. Both x509s are exposed in the metadata. Is this possible with Azure B2C custom policy.? Thank you
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-09-26T07:52:01.24+00:00

Hi @Gola, Mariusz ,

As previously stated, it is possible to retain two certificates within B2C, but designating them as primary or secondary is not permitted. The selection is determined by the "nbf" (not before) and "exp" (expiration) parameters. When the current certificate reaches its expiration date, and the key container contains a new certificate with valid "nbf" and "exp" times, the transition to the new certificate will occur seamlessly, making it the active one.

Thanks,

Shweta
Gola, Mariusz 45 Reputation points

2023-09-26T14:21:02.7566667+00:00

Hi Shweta,

Ok, understood. Inconvenient as all the SPs have to make the change at the same time but. Thank you

Accepted answer

1 additional answer

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-14T23:02:10.2633333+00:00

@Gola, Mariusz

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Gola, Mariusz 45 Reputation points

2023-09-18T17:51:15.6033333+00:00

Hi,

Thank you for the answers, but I get that I can add multiple keys to the key container for the rollover. What I can't figure out is how to expose/use and both keys in the metadata similar to how ADFS handles it. ADFS has two certificates for rollover from secondary to primary. There is a period when both are valid so that SPs have time to make the change. You can use either. Both x509s are exposed in the metadata. Is this possible with Azure B2C custom policy.? Thank you
Shweta Mathur 30,296 Reputation points Microsoft Employee Moderator

2023-09-26T07:52:01.24+00:00

Hi @Gola, Mariusz ,

As previously stated, it is possible to retain two certificates within B2C, but designating them as primary or secondary is not permitted. The selection is determined by the "nbf" (not before) and "exp" (expiration) parameters. When the current certificate reaches its expiration date, and the key container contains a new certificate with valid "nbf" and "exp" times, the transition to the new certificate will occur seamlessly, making it the active one.

Thanks,

Shweta
Gola, Mariusz 45 Reputation points

2023-09-26T14:21:02.7566667+00:00

Hi Shweta,

Ok, understood. Inconvenient as all the SPs have to make the change at the same time but. Thank you

Answer 1

Hi @Gola, Mariusz ,

Thanks for reaching out.

It is possible to store multiple certificates in a policy key container, but only one will be picked up at a time.

The keys in a keyset are not replaceable or removable. If you need to change an existing key:

We recommend adding a new key with the activation date set to the current date and time. Azure AD B2C will activate the new key and stop using the prior active key.

The policy key container configures the nbf (not before) and exp (expiration) parameters based on certificate issuance and expiry dates. To enable automatic rollover, it's necessary to upload a new certificate to the same policy key container before the current certificate expires. Once the current certificate reaches its expiration date, and the key container holds a new certificate with valid nbf and exp times, the new certificate will seamlessly become active.

Reference - https://learn.microsoft.com/en-us/azure/active-directory-b2c/policy-keys-overview?pivots=b2c-custom-policy#key-rollover

Hope this will help.

Thanks,

Shweta

Please remember to "Accept Answer" if answer helped you.

Nick Kulke 0 Reputation points

2024-01-25T17:39:12.7666667+00:00

As Mariusz highlights, this accepted solution provides no value in practice. Saml metadata does not expose the future certificate until nbf has been passed. This leaves coordinated cutover with all SPs necessary and challenging. Outages must be expected on key renewal. Seamless in your comment is not helpful in practice.

Answer 2

Hi , Hope doing good!

Add the New Certificate: First, you should add the new certificate that you plan to use for token signing to your Azure AD B2C configuration.

Configure Metadata with Both Certificates: Ensure that the metadata published by Azure AD B2C includes both the old and new certificates. This way, SPs that support metadata updates can retrieve the new certificate information.

Notify Relying Parties: Notify your SPs about the certificate rotation and the presence of the new certificate in the metadata. Encourage them to update their configurations to include the new certificate.

Monitor the Transition Period: Allow some time for SPs to update their configurations to include the new certificate. During this transition period, both certificates (old and new) should be valid and included in the metadata.

Set Expiry on the Old Certificate: After a reasonable amount of time has passed and you believe most SPs have updated their configurations, you can set an expiry date on the old certificate. This effectively forces SPs to use the new certificate for token validation once the old one expires.

Remove the Old Certificate: Once the old certificate has expired and you are confident that all SPs have updated their configurations, you can safely remove the old certificate from your Azure AD B2C configuration and metadata.

This approach allows you to maintain compatibility with SPs during the transition period, especially for those that rely on the metadata for certificate information. SPs that have hard-coded the X.509 certificate in their configurations will need to update their settings manually or programmatically to use the new certificate.

It's essential to communicate with your SPs throughout this process, providing clear instructions and timelines for the certificate rotation. Additionally, you should carefully plan and coordinate the transition to minimize disruptions to your applications and services.

Please fine MS doc for ref:

https://learn.microsoft.com/en-us/azure/active-directory-b2c/tokens-overview

Also , kindly accept answer if helps, Thankyou!

Gola, Mariusz 45 Reputation points

2023-09-20T19:55:08.5933333+00:00

Thanks for that. But how do I expose both x509s in the metadata vis custom policy.

To be clear, I have two valid certs in the key container .

Yet only one is exposed via the metadata. See below.

How do I expose both certs during the rollover period. Thank you
BhaskarVarshney-8188 0 Reputation points

2024-06-24T07:20:27.0833333+00:00

Hi @deepanshukatara-6769.

I've added multiple keys in the same container, but as we know only 1 key will be active in the container at a time according to nbf and exp values.

The certificate values you find in the metadata are fetched from the container only, by providing the container name into the property: StorageReferenceId of element Key inside the CryptographicKeys tag, inside the base policy.

I then tried multiple approaches:

I've also tired to add the multiple keys, but a duplicate key validation error is thrown while upload.

I've also tried with different Id values like SamlAssertionSigningOld, and SamlAssertionSigningNew, but this is a different validation error occured, stating that the key Id SamlAssertionSigning must be present.

Since, there must be a key Id with value SamlAssertionSigning, so I tried adding the old cert with another key Id value. But in this case, the metadata picked the certificate from the keyId SamlAssertionSigning.
Only, SamlAssertionSigning value is picked, leaving SamlAssertionSigning2.

Also, could you please clear a doubt which i got after reading your approach, that if you want your relying parties (some having new updated cert and some with old cert) to continue with old and new certificates, how will you send the SAML token signed with 2 different certificates or you'll send 2 different tokens. But, on sending 2 different tokens the logic must be present on the relying party side.

Also, It would be a great help if you can share any source from where you referred this approach, or please elaborate more.

Thank you.

Share via

Azure B2C and Multiple certificates

1 additional answer

Your answer