Azure B2C SAML Certificates

Question

Does the SAML signing certificate in B2C policy key need to be .pfx file (with password protection) or can it be a .cert file without any password protection ?
How can the certificates be rolled over in B2C Identity framework policy set ?

Answer 1

Hi @robcool • Thank you for reaching out.

As documented under Set up certificates, the SAML signing certificate in the B2C policy key must be stored with its private key. That means, it has to be a password-protected .pfx file.

• SAML response signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the SAML response sent to your application. Your application reads the metadata public key in Azure AD B2C to validate the signature of the SAML response.
• SAML assertion signing: A certificate with a private key stored in Azure AD B2C. Azure AD B2C uses this certificate to sign the <saml:Assertion> part of the SAML response.

Based on the certificate issuance and expiry date, the nbf and exp parameters are set in the policy key container. So, for auto rollover, you must have to upload a new certificate to the same policy key container prior to the expiry of the current certificate. When the current certificate expires and the key container contains a new certificate with valid nbf (not before) and exp (expiration) time, the new cert will become active automatically.

-----------------------------------------------------------------------------------------------------------

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.