Adfs: Difference between token decrypting certificate and relying party signature verification certificate

Question

I am trying to set up a Relying Party (SP) with ADFS. ADFS recognizes and responds for requests without signature. But ADFS fails to verify a signed AuthRequest. I have a certificate imported into relying party's 'Signature verification certificates' section but this certificate does not seem to be used in signature verification of requests from the relying party.

Rather it seems to use a 'token-decrypting' certificate. I do not understand the purpose of this certificate. Can someone please explain me the difference between these two certificates and how to replace a 'token-decrypting' certificate with another self-signed certificate (in DER or pem format)? Thanks

Fyi: sample AuthnRequest sent to ADFS

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://adfs-sj1.sjlab.local/adfs/ls/" ID="_422d0bb72b1120db737695464793dedf4ea8ddd2" IssueInstant="2012-07-30T21:52:47.501Z" Version="2.0">
    <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">spid</saml2:Issuer>
    <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
            <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
            <ds:Reference URI="#_422d0bb72b1120db737695464793dedf4ea8ddd2">
                <ds:Transforms>
                    <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
                    <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
                </ds:Transforms>
                <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
                <ds:DigestValue>S5b7PCF8WscoOX++EcpyjQNW4q0=</ds:DigestValue>
            </ds:Reference>
        </ds:SignedInfo>
        <ds:SignatureValue>g1PXYERi48Q/vGXNBPwZlteyihQmt3eo9+MIQlBdC8MqTsm8GdvE1Nq4osszEyprAK5Q6Uv5QV/UgctUWGV2hUxLc5bpXVwpaYaoywH0XPXArROR1EyGVz2g5YAjgGxpU0YbxJIk+2A1DblE0alYSK/88oHHcmpwp6dmgwmvfXcRA83DnVCeIZoKSPuNTqSLb6UKk+QxUABieuAb1ecsQmJsEjUXcrPq+RPL1+goNhC4/vbPatuK90ZyZe5CljwAtWXmqoBzWexxgWdzs4E9zIc/aQi/HFioGz0EnPiipgBjHRlV+Gv0iFV1dS++a24+F7H2NG6aZSGipcyj2kJMDg==</ds:SignatureValue>
    </ds:Signature>
</saml2p:AuthnRequest>

rbrayb rbrayb · Accepted Answer · 2012-07-31T19:44:41

Good article: AD FS 2.0: How to Replace the SSL, Service Communications, Token-Signing, and Token-Decrypting Certificates.

The Service Communications certificate is essentially the IIS SSL certificate and serves the same purpose.

The Token-Decrypting certificate is for communication with other claims providers. They encrypt the token with this certificate's public key and ADFS decrypts with the private key.

The Token-Signing certificate is used to sign the token sent to the RP to prove that it indeed came from ADFS.

Plus when you select the encrypt option when using FedUtil, you use another certificate on the RP side to encrypt the token. In this case, it is double encrypted - SSL plus RP certificate.

Your question is somewhat confusing. ADFS always signs the RP token. It's not optional. Could you please clarify?

Adfs: Difference between token decrypting certificate and relying party signature verification certificate

3 Answers