Options to purchase an authority signed SAML Message Signing Key / Certificate and then how to upload to Azure AD B2C

Stuart 0 Reputation points
2025-01-13T11:18:21.14+00:00

Hi,

Apologies for using the tag 'Microsoft Entra ID' as I couldn't find a Tag with Azure AD B2C. Could an admin please signed the correct tag if one exists.

The issue I'm currently facing is that for the last few months we have been running with a self-signed certificate for the SAML Message Signing Key. This self-signed certificate was created using the following process (On a Mac):

- Log into Azure
- Navigate to the `Azure AD B2C` service
- Navigate to `Identity Experience Framework`
- Navigate to `Policy Keys`
- Delete `B2C_1A_SamlMessageSigningKey`
- Create a new certificate...
  - On Mac
    - Load up `Keychain access`
    - Select `Keychain access` -> `Certificate Assistant` -> `Create a Certificate`
    - Name: `SAML Production`
    - Identity Type: `Self-Signed Root`
    - Certificate Type: `Code Signing`
    - Password: 
    - Create the new certificate and then right click to export it as a `.p12` file
    - Change the file extension to `.pfx` and the file will be ready for upload
- Upload the file to Azure
  - Select `Add`
  - Change Options to `Upload`
  - Enter the name as `SamlMessageSigningKey` on production
  - Upload the `.pfx` file
  - Enter a password...
  - Click on `Create`

The issue is that we are now trying to move over to a signed certificate which is signed by a valid and reputable authority. So my questions are as follows:

  • Where can I purchase one of these signed certificates from?
  • What 'type' of certificate do I need to purchase? I've seen references to 'code signing' and various other certificates which are available.
  • How do I then upload the certificate to Azure AD B2C as I've noticed a lot of certificates when purchased come on a USB pen or CD and then need to used via their own software.

Thanks for your time.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,147 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 12,200 Reputation points Microsoft Vendor
    2025-01-15T18:16:24.2966667+00:00

    Hello @Stuart,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I see you are looking to purchase a certificate to connect with your SAML application in Azure AD B2C tenant instead of self-signed certificates. You can purchase a signed certificate from a reputable Certificate Authority (CA) such as DigiCert, GlobalSign, or Comodo. As you are looking to use the certificate for SAML message signing, you will need to purchase a certificate that supports digital signatures. You need to export your SSL cert as .pfx file. The structure of an X.509 v3 digital certificate is as follows:

    • Certificate
    • Version Number
    • Serial Number
    • Signature Algorithm ID
    • Issuer Name
    • Validity period
    • Not Before
    • Not After
    • Subject name
    • Subject Public Key Info
    • Public Key Algorithm
    • Subject Public Key
    • Issuer Unique Identifier (optional)
    • Subject Unique Identifier (optional)
    • Extensions (optional)

    Certificate Signature Algorithm

    Certificate Signature

    Once you have obtained the certificate, you can upload it to Azure AD B2C by following these steps:

    1. Sign in to the Azure portal.
    2. If you have access to multiple tenants, select the Settings icon in the top menu to switch to your Azure AD B2C tenant from the Directories + subscriptions menu.
    3. Select All services in the upper-left corner of the Azure portal, and then search for and select Azure AD B2C.
    4. On the Overview page, select Identity Experience Framework.
    5. Select Policy Keys, and then select Add.
    6. For Options, select Upload.
    7. For Name, enter a name for the policy key. For example, enter SamlIdpCert. The prefix B2C_1A_ is added automatically to the name of your key.
    8. Browse to and select your certificate .pfx file with the private key.
    9. Select Create.

    If your certificate comes on a USB pen or CD and requires its own software, you will need to follow the instructions provided by the CA to install the certificate on your machine. Once the certificate is installed, you can export it as a .pfx file and upload it to Azure AD B2C as described above.

    Ref: https://learn.microsoft.com/en-us/azure/active-directory-b2c/saml-service-provider?tabs=windows&pivots=b2c-custom-policy
    https://en.wikipedia.org/wiki/X.509

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.