I am implementing a SSO mechanism with a Service Provider (SP) by using ADFS as Identity Provider (idp).
The SP regular website offers integration with ADFS so it was enough to setup the SP as Relying Partner in my ADFS and provide them the Token Signing certificate.
The mobile app of the SP does not offer integration with ADFS, therefore they require a web application to be built (SSOApplication) that bridges the SSO mechanism between SP and ADFS. The SP redirects the request to SSOApplication that in the background, by using SAML, queries the ADFS and then, if authentication is approved, sends the response to the SP.
SSOApplication correctly communicates with ADFS but I cannot sign the SAML response for the SP because in the Token Signing certificate, contrarely to the SSL certificate, there is no option to export the private key (although MS claims it is possible here). The SP requires the same certificate for both Web and Mobile App entry points, therefore I cannot use two different Token Signing certificates.
Moreover, this very certificate is used by other SPs that communicate with my ADFS, therefore if I change certificate I have to communicate the new certificate to the other SP integrated with our ADFS. Is there any way to export the private key from the Signing Token certificate? Is there any way to use differnet Token Signing certificates for different realying parties in ADFS?
PS: In ADFS I can export the key of the SSL certificate but there is not the same option for Token Signing.
The link is for ADFS 1.x. In ADFS 2.0 and above it is not possible. The official way is to create another signing cert and import in ADFS. Indeed then all SPs need to roll-over......
That is the official answer. Now the hack. If you are using a farm with a service account, then it is in the user store of that account. But export is disabled. If you know how to work with mimikatz from gentlekiwi (and know how to read French :-) ), then you can even solve that too.