c# - Use for every Reyling Party seperate client Certificate? -


i'm reading on sso , used tutorial http://chris.59north.com/post/2013/04/09/building-a-simple-custom-sts-using-vs2012-aspnet-mvc.aspx creating custom sts.

if understood correct on sts machine installed certificate. reyling party sends thumbprint of x509 signature. relying party accept claims of sts proper certificate. correct?

if so, implement every relying party sending certificate sts sts got installed too. on request sts in trusted relying party list if sent certificate known sts.

is implemention idea , practice? there ressource implement this?

thanks

implementing custom sts hard work. advise have @ windows azure acs or thinktecture free sts starting point.
being said, having separate certificate relying party common practice. however, private key of certificate stored inside database in sts (acs , thinktecture both support this). relying party knows public key. security token (saml2 or jwt) signed acs security token , relying party can use public key (or thumbprint) verify signature. please notice saml2 token can encrypted (next being signed) , can use different certificate that. recommend using seperate certificate sts (or organisation) has kind of website "anybody" can register application relying party. if elying parties "internal" applications @ least consider using single certificate sign security tokens. has advantage can publish (public) key in federation meta data document (located @ federationmetadata/2007-06/federationmetadata.xml). if wish update key, can update there (by first publishing new , old key there , later new key). relying parties can update there keys based on meta data (adfs uses similar approach). bottom line : having seperate certificate per rp having single 1 (for signing - not encryption) easier update.


Comments

Popular posts from this blog

google api - Incomplete response from Gmail API threads.list -

Installing Android SQLite Asset Helper -

Qt Creator - Searching files with Locator including folder -