Hi @robcool • Thank you for reaching out.
As documented under Set up certificates, the SAML signing certificate in the B2C policy key must be stored with its private key. That means, it has to be a password-protected .pfx
file.
- SAML response signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the SAML response sent to your application. Your application reads the metadata public key in Azure AD B2C to validate the signature of the SAML response.
- SAML assertion signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the
<saml:Assertion>
part of the SAML response.
Based on the certificate issuance and expiry date, the nbf
and exp
parameters are set in the policy key container. So, for auto rollover, you must have to upload a new certificate to the same policy key container prior to the expiry of the current certificate. When the current certificate expires and the key container contains a new certificate with valid nbf (not before) and exp (expiration) time, the new cert will become active automatically.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.