Azure B2C SAML Certificates

robcool 116 Reputation points
2022-03-11T07:44:43.527+00:00

Does the SAML signing certificate in B2C policy key need to be .pfx file (with password protection) or can it be a .cert file without any password protection ?
How can the certificates be rolled over in B2C Identity framework policy set ?

Microsoft Security | Microsoft Entra | Microsoft Entra External ID
0 comments No comments
{count} votes

Accepted answer
  1. AmanpreetSingh-MSFT 56,871 Reputation points Moderator
    2022-03-11T09:24:05.773+00:00

    Hi @robcool • Thank you for reaching out.

    As documented under Set up certificates, the SAML signing certificate in the B2C policy key must be stored with its private key. That means, it has to be a password-protected .pfx file.

    • SAML response signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the SAML response sent to your application. Your application reads the metadata public key in Azure AD B2C to validate the signature of the SAML response.
    • SAML assertion signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the <saml:Assertion> part of the SAML response.

    Based on the certificate issuance and expiry date, the nbf and exp parameters are set in the policy key container. So, for auto rollover, you must have to upload a new certificate to the same policy key container prior to the expiry of the current certificate. When the current certificate expires and the key container contains a new certificate with valid nbf (not before) and exp (expiration) time, the new cert will become active automatically.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.