Home

ADFS Advice: Relying Party Trust Encryption Certificate

%3CLINGO-SUB%20id%3D%22lingo-sub-46172%22%20slang%3D%22en-US%22%3EADFS%20Advice%3A%20Relying%20Party%20Trust%20Encryption%20Certificate%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-46172%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20all%2C%20I%20was%20wondering%20if%20someone%20could%20give%20me%20some%20advice%3A%26nbsp%3BFirst%2C%20I'm%20still%20relatively%20new%20to%20ADFS.%20Outside%20of%20federating%20with%20Office%20365%20and%20establishing%20a%20handful%20of%20trusts%20with%20a%20few%20of%20our%20vendors%2C%20I%20still%20consider%20myself%20a%20beginner%20with%20ADFS.%26nbsp%3B%20In%20my%20mind%20I%20really%20haven't%20gotten%26nbsp%3Bto%20the%20nitty-gritty%20deep%20down%20understanding%20of%20all%20things%20ADFS%20yet%2C%20and%26nbsp%3Bthat%20sometimes%20make%20me%20question%20my%20line%20of%20thinking.%26nbsp%3B%20Right%20now%2C%20%26nbsp%3BI'm%20stuck%20trying%20to%20figure%20out%20and%20understand%26nbsp%3Bthe%20particulars%20for%20a%20RPT%20configuration%2C%20and%20need%20some%20advice%20on%20how%20to%20proceed.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%26nbsp%3Bvendor%20that%20we%20are%20trying%20to%20set%20up%20a%20relying%20party%20trust%20with%20and%20for%20whatever%20reason%2C%20they%20don't%20want%20want%20to%20provide%20us%20with%20their%20Metadata%26nbsp%3Bby%20URL%20or%20by%26nbsp%3Bfile%20(the%20only%20ways%20I've%20ever%20configured%20a%20RPT).%26nbsp%3B%20Instead%2C%26nbsp%3Bthey%26nbsp%3B%20want%20me%20to%20enter%20the%20data%20about%20the%20relying%20party%20trust%20manually.%26nbsp%3B%26nbsp%3B%26nbsp%3BNot%20a%20huge%20deal%2C%20I%20guess.%20The%20settings%26nbsp%3Bthey%20sent%20me%20looks%20straightforward%20and%20there%20is%20only%20a%20single%20claim%20rule%20that%20needs%20to%20be%20defined.%26nbsp%3B%20But%2C%20as%20silly%20as%20it%20may%20sound%2C%20%26nbsp%3BI'm%20stuck%26nbsp%3Bon%20adding%20the%20RPT's%20encryption%20certificate.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20like%20I%20said%2C%20normally%20with%20our%20other%20RPTs%2C%20we've%26nbsp%3Balways%20received%20their%26nbsp%3Bmetadata%26nbsp%3Bvia%20file%20or%20URL.%26nbsp%3B%20As%20one%20my%20expect%2C%20this%20method%20has%20always%26nbsp%3Bpopulated%26nbsp%3Bour%20partner's%20specified%26nbsp%3Bcertificate%20as%20the%20RPT's%20encryption%20certificate.%26nbsp%3B%20This%20makes%20sense%20to%20me%20because%20I've%20always%20understood%20that%20when%20you%20encrypt%20something%20you%20want%20to%26nbsp%3Bsend%26nbsp%3Bto%20another%20party%2C%20you%20do%20so%20using%20their%20public%20key.%26nbsp%3B%26nbsp%3BThe%20remote%20party%20then%20decrypts%20it%20using%20their%20securely%20stored%2C%20private%20key.%26nbsp%3B%26nbsp%3BHere%2C%20however%2C%20this%26nbsp%3Bvendor%20telling%20me%20that%20*I*%26nbsp%3Bneed%20to%20create%20the%20encryption%26nbsp%3Bcert%20on%20my%20end.%26nbsp%3B%20By%20my%20math%20that%20means%20I%20would%20have%20to%20create%20a%20cert%20and%20send%20them%26nbsp%3Bprivate%20key%20so%20they%20could%20decrypt%20whatever%20we%20encrypt%20and%20send%26nbsp%3Bthem.%26nbsp%3B%20What%20sort%20of%20nonsense%20is%20that%3F%26nbsp%3B%20Why%20on%20earth%20would%26nbsp%3Bwe%20ever%20do%20that%3F%26nbsp%3B%20Am%20I%20missing%26nbsp%3Bsomething%3F%26nbsp%3B%20Shouldn't%20this%20specify%20THEIR%20public%20key%20cert%20on%20our%20end%3F%26nbsp%3B%20%26nbsp%3BNeedless%2C%20to%20say%20I%20am%20confused.%26nbsp%3B%20I%20may%20just%26nbsp%3Bnot%20be%20thinking%20this%20through%20clearly%2C%20but%20right%20now%20it%20feels%20like%20they%20have%20no%20idea%20what%20they%20are%20asking%20for.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20assume%20I'm%20wrong%2C%20or%2C%20the%20more%20likely%20scenario%2C%20that%20%26nbsp%3BI%20am%20correct%2C%20but%20I%20am%20going%20to%20have%20to%20step%20these%20folks%20through%26nbsp%3Bproperly%20configuring%20things%20on%20their%20end%20and%20creating%26nbsp%3Bthis%20certificate%26nbsp%3Bwhat's%26nbsp%3Bthe%20best%20approach%20for%20this%20type%20of%20certificate%3F%26nbsp%3B%20What%20are%20the%20requirements%20for%20the%20cert%3F%20What%20are%20the%20best%20practices%20around%20this%20cert%3F%26nbsp%3B%20and%20Because%20we%20are%20manually%20creating%20this%20RPT%2C%26nbsp%3B%20what%20is%20the%20best%20approach%20for%20creating%20and%20distributing%20(and%20updating)%26nbsp%3Ba%20cert%20like%20this%3F%26nbsp%3B%26nbsp%3B%20Are%20there%20any%20other%20pitfalls%20to%20be%20aware%20of%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20know%2C%20it's%20a%20long-winded%20request%2C%20but%20any%20advice%2Fschooling%20would%20be%20much%20appreciated.%26nbsp%3B%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-46172%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Deleted
Not applicable

Hey all, I was wondering if someone could give me some advice: First, I'm still relatively new to ADFS. Outside of federating with Office 365 and establishing a handful of trusts with a few of our vendors, I still consider myself a beginner with ADFS.  In my mind I really haven't gotten to the nitty-gritty deep down understanding of all things ADFS yet, and that sometimes make me question my line of thinking.  Right now,  I'm stuck trying to figure out and understand the particulars for a RPT configuration, and need some advice on how to proceed.

 

We have a vendor that we are trying to set up a relying party trust with and for whatever reason, they don't want want to provide us with their Metadata by URL or by file (the only ways I've ever configured a RPT).  Instead, they  want me to enter the data about the relying party trust manually.   Not a huge deal, I guess. The settings they sent me looks straightforward and there is only a single claim rule that needs to be defined.  But, as silly as it may sound,  I'm stuck on adding the RPT's encryption certificate. 

 

Now, like I said, normally with our other RPTs, we've always received their metadata via file or URL.  As one my expect, this method has always populated our partner's specified certificate as the RPT's encryption certificate.  This makes sense to me because I've always understood that when you encrypt something you want to send to another party, you do so using their public key.  The remote party then decrypts it using their securely stored, private key.  Here, however, this vendor telling me that *I* need to create the encryption cert on my end.  By my math that means I would have to create a cert and send them private key so they could decrypt whatever we encrypt and send them.  What sort of nonsense is that?  Why on earth would we ever do that?  Am I missing something?  Shouldn't this specify THEIR public key cert on our end?   Needless, to say I am confused.  I may just not be thinking this through clearly, but right now it feels like they have no idea what they are asking for.

 

However, assume I'm wrong, or, the more likely scenario, that  I am correct, but I am going to have to step these folks through properly configuring things on their end and creating this certificate what's the best approach for this type of certificate?  What are the requirements for the cert? What are the best practices around this cert?  and Because we are manually creating this RPT,  what is the best approach for creating and distributing (and updating) a cert like this?   Are there any other pitfalls to be aware of?

 

I know, it's a long-winded request, but any advice/schooling would be much appreciated.  Thanks!

Related Conversations
AD+ADFS+AAD
Taen keren in Azure on
1 Replies
ADFS 4.0 and Office 365 - Internal CA
Enrico Giacomin in Office 365 on
3 Replies
Running SQL Agent Jobs with Always Encrypted Column
victorjohnson in SQL Server on
0 Replies