Sustainsys.Saml2 logout not working if .pfx file not configured in service collection

Question

IN one of my project I am using Sustainsys.Saml2 library with asp.net core application using identityserver4, I could not find proper documentation for configuration so configured the startup as below:

.AddSaml2(option =>
             {
                 option.Notifications.SelectIdentityProvider =
                  (id, data) => GetProvider(option, tenant); // here we are passing dynamic provider  
                 option.SignInScheme = IdentityServerConstants.ExternalCookieAuthenticationScheme;
                 option.SignOutScheme = IdentityServerConstants.DefaultCookieAuthenticationScheme;
                 option.SPOptions.EntityId = new Sustainsys.Saml2.Metadata.EntityId(samlEntityId);
             });

private static IdentityProvider GetProvider(IOptions options, Web.Application.Service.ITenantHandler tenant)
        {

            TenantDetail tenantDetail = tenant.GetTenantDetail();
            var entityId = tenantDetail.SSOSettings.ADFSRelyingPartyUrl;
            var idp =
                 new IdentityProvider(new EntityId(entityId), options.SPOptions)
                 {
                     LoadMetadata = true,
                     MetadataLocation = $"{tenantDetail.SSOSettings.ADFSMetaDataUrl}",
                     WantAuthnRequestsSigned = false,
                     DisableOutboundLogoutRequests = false,
                     AllowUnsolicitedAuthnResponse = false,
                     Binding = Sustainsys.Saml2.WebSso.Saml2BindingType.HttpRedirect,
                 };
            idp.SigningKeys.AddConfiguredKey(new X509Certificate2(tenantDetail.SSOSettings.SigningCertificate));
            var existingEntityProvider = options.IdentityProviders.KnownIdentityProviders.FirstOrDefault(x => x.EntityId.Id == entityId);
            if (existingEntityProvider != null)
                options.IdentityProviders.Remove(existingEntityProvider.EntityId);
            options.IdentityProviders.Add(idp);

            options.SPOptions.ServiceCertificates.Add(new ServiceCertificate
            {

                Certificate = new X509Certificate2(tenantDetail.SSOSettings.SigningCertificate, tenantDetail.SSOSettings.SigningPassword),
                Use = CertificateUse.Signing,
                Status = CertificateStatus.Current,
            });
           
            return idp;
        }

This configuration is working in below case

• if we add .pfx file in line options.SPOptions.ServiceCertificates.Add(); here .cer file not accepted as it needs private key as well.
• if I don't configure this line options.SPOptions.ServiceCertificates.Add(); means without certificate then logout is not working as it checks serviceCertificate before initialting logout withh IDP.

My Question is

• is it possible to configured with .cer file only as our clients are not sharing the pfx file due to security reason?
• if it possible with .cer file then where I need to make changes? please suggest

Answer 1

For the logout functionality to be enabled, a certificate with a private keys needed to be able to sign the outbound logout request. So you need a .pfx.

But you are confusing two different certificates here. The .cer file you get from your IdentityProvider is the one representing their signing key. They should never give that private key (.pfx file) to you.

The ServiceCertificate is a certificate representing your application. This is something that you can generate yourself. It does not need to be a bought certificate, you can create a self signed. Then share the metadata generated by the library (accessible at /Saml2) with the IdentityProvider - they need to register that in their configuration. You could also share the .cer file for your certificate. Never share the .pfx.