azure-active-directorysamlarcgis-online

Azure AD - Where to add the public key certificate from the Service Provider to encrypt the SAML assertion


I have been given a Public Key Certificate by the Service Provider (ArcGIS Online) which I want to use to encrypt the assertion sent from Azure AD (IdP).

Do I import the certificate (with KeyDescriptor="encryption") under Single Sign On > SAML Signing Certificate

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-signing-options

Or under Token Encryption

https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/howto-saml-token-encryption

The SAML Signing Certificate page has the option to "Encrypt assertion", but the help page for Token Encryption suggests that this is the place to import a certificate to encrypt an assertion. Please explain the difference between the two locations where certificates can be imported.


Solution

  • You add it to token encryption.

    Azure AD uses its own certificate to sign the token. There are different ways to sign the token as per the article.

    You should have been given a .cer file. This is the public key used to encrypt the assertions i.e. the claims.

    The SP (application) uses the private key to de-encrypt.

    So the token is signed by the AAD certificate but the assertions within the token are encrypted by the encryption certificate.