8

In ADFS, serveral certificates are used. This is explained (very clearly) on this page: http://blogs.technet.com/b/adfs/archive/2007/07/23/adfs-certificates-ssl-token-signing-and-client-authentication-certs.aspx

Now, I have configured the following:

  • ADFS Communications certificate
  • ADFS Token decrypting certificate (for tokens that are received from another FS)
  • ADFS Token signing certificate (to sign the tokens that are sent to the relying parties)

And on relying party level I have configured the following:

  • RP Token encryption certificate

Now, what I don't understand is how to configure the request verification certificate. In ADFS, you can find it in a tab next to 'Encryption', and the explanation is the following: "Specify the signature verification certificates for requests from this relying party."

I assume I have to add a clientCertificate or something in the web config of my Relying Party, but I don't want ALL requests to be signed, only the requests that are travelling to ADFS should be signed. I want to do this because I do not want other, random apps to be able to contact my ADFS and consume resources.

Does anyone know how to set the request verification certificate?

Michael
  • 5,393
  • 2
  • 32
  • 57

1 Answers1

1

Is this for WS-Fed or for SAML?

I've only ever used this for SAML.

In the SAML world, this is imported from the partner metadata and is the public key of the certificate the partner uses to sign assertions (In WS-Fed terms = claims).

The RP uses this to validate the assertions.

rbrayb
  • 111
  • 3
  • The RP validating the assertions is so that the RP can be sure that the assertions come from ADFS. However, I want ADFS to be sure the initial request (even before any token is sent) comes from a known RP. This way, the ADFS does not respond to requests coming from a fake RP.. – Michael Aug 13 '14 at 15:31