RobM.62038 (Customer) asked a question.
How do I use the use="encryption" certificate in IDP metadata when configuring for inbound federation?
I am configuring okta as SP in an inbound federation setup. Our third party IdP provided us with metadata for configuring our okta Identity Provider. The metadata includes multiple <X509Certificate> sections. I assume that I use the certificate in the <ds:Signature> section (with use="signing") as the IdP Signature certificate. The other <X509Certificate> sections all have use="encryption". They are located in the <RoleDescriptor>, <SPSSODescriptor>, and <IDPSSPDescriptor> sections and contain different certificates. How do I use these when configuring the Identity Provider. I don't see any other places to add a certificate.
Any help you can provide would be much appreciated.
Hello!
Thank you for raising a question with the Okta Help Center!
For an inbound federation setup, there are a few key steps when configuring the certificates. You can find information on that below:
https://help.okta.com/en/prod/Content/Topics/Security/Identity_Providers.htm
As stated in that documentation:
IdP Signature Certificate: Certificate from the IdP used to sign the assertion.
So, the "ds:Signature" with use="signing" is what you'd use here.
The other sections with use="encryption" are used to encrypt the certificate and are not used inherently in the configuration per the documentation.
Please let us know if that helps!
Thank you,
Brandon Wendorf
Technical Support Engineer
We should be able to integrate with the IDP - the use="encryption" values are typically used to encrypt a certificate, and it's possible that the IDP is using one of either Public Key or Private Key encryption. You can read more about that here:
https://www.comodo.com/resources/small-business/digital-certificates2.php
My suggestion is to use our Inbound Federation Documentation to integrate this as we have outlined, and should you face any issues with the setup, I would advise opening a full support ticket and we can assist with any errors with the setup.
Thank you,
Brandon Wendorf
Technical Support Engineer
Can we just ignore the fact that they are encrypting the certificate or will we need to do some custom coding to make this work? In my testing I have been using a trial version of okta to simulate my 3rd party IdP and have successfully run in IdP initiated and SP initiated scenarios. The purpose of my question is to determine whether the presence of the additional encryption certificates in the client's FederationMetadata file are a red flag that indicates that there will be additional custom work required on my end to support decrypting the certificate.