Search code examples
c#azure-web-app-serviceazure-keyvaultsts-securitytokenservice

Accessing Certificates in Azure KeyVault for Legacy Security Token Service

We have some legacy Web Forms apps we are attempting to migrate to Azure App Services. These Web Forms apps use the old Microsoft.IdentityModel and a custom Security Token Service (MVC 4) app for authentication. The STS app uses an external identity provider and receives SAML 2.0 artifacts, builds the claims, and then passes on to the requesting app.

With the move to Azure App Services, we would naturally use KeyVault. However, take the following web.config excerpt as an example:

<issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
    <trustedIssuers>
      <add thumbprint="some_thumbprint" name="STSTestCert" />
    </trustedIssuers>
  </issuerNameRegistry>
  <serviceCertificate>
    <certificateReference x509FindType="FindByThumbprint" findValue="some_thumbprint" storeLocation="LocalMachine" storeName="My" />
  </serviceCertificate>

This would obviously read from the certificate store on the server. Is there any way to make this use Azure KeyVault? Perhaps providing the certificate programmatically versus a configuration file? Any other alternatives without having to completely re-write our authentication setup?

I've been reading into the OWIN Startup and Authentication classes, but not yet sure if that will get me where I need to be.

Solution

  • I was incorrect in my initial assessment of how certificates would work in an Azure App Service. Without changing the configuration in my original post, you can access app service certificates in the same way as if it were running on IIS. The only thing I needed to do was to change the location of the certificate store location to "CurrentUser". Then, I had to run the following PowerShell script to give the app service access to the certificate:

    az webapp config appsettings set --name <application_name> --resource-group <app_service_resource_group> --settings WEBSITE_LOAD_CERTIFICATES=<comma_delimited_list_of_thumbnails>

    After this, the application is able to access the certificate successfully.