We are looking to implement SAML based IDP(with signed response & encrypted assertion) in Azure and our SP will be some another service. For this, we need to configure our SP public cert at IDP side in Azure. We have created basic IDP with "Azure Active Directory>>Enterprise applications>>Non-gallery application". So now we need to know, how we can configure SP public cert at IDP in Azure?
1
votes
2 Answers
1
votes
You don't have to configure your SP public cert in Azure AD. Azure AD will ignore the signature in the SAML request. The only thing you need to configure in Azure AD is Identifier, Reply URL and add any custom attribute expected in the SAML response. Then, use the metadata or certificate to configure SSO on the SP.
Take a look at these docs:
Azure AD Single Sign-On SAML protocol
In case you want to list your application in the AAD Gallery for allowing common customers to add and configure your application: Listing your application in the Azure Active Directory application gallery
0
votes
Signed Response Azure AD has an option for signing its SAML Responses. Just make sure you download Azure's metadata to grab the Azure's signing certificate.
Encrypted Response
Azure AD calls encrypting the assertions inside the SAML Response, to be Encrypted Tokens which is really not a very good name at all. It is also unfortunately not with the rest of the SAML options. This page explains how to do it. You will need to have your SP enc cert in a PEM format. The rest should be simple.
