My trading partner uses software that requires that the certificate is provided in the metadata or as a separate file.
Typical error messages include (examples shown from ADFS2)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer
The signing credentials cannot be resovled because signed XML does not contain a SecurityKeyIdentifier.
By default, the Ubisecure SSO metadata contains only the public key. To enable publishing of the certificate:
- For the IDP and IDP Proxy Metadata published at http://SSO_URL/uas/saml2/metadata.xml, enter the word "MetadataCertficate" in the Server Compatibility Flags field on the home page of Ubisecure SSO Management and press Update.
The metadata containing the certificate can be downloaded from the SAML 2.0 link on the home page of the Ubisecure SSO Management console.
- For the SP Metadata specific to each authentication method when enabling SAML login as an authentication method, enter the word "MetadataCertficate" in the Method Compatibility Flags field on SAML tab of the authentication method in the Ubisecure SSO Management and press Update.
The metadata containing the certificate can be seen from the Download Metadata link on the SAML tab of the authentication method.
If the trading partner requires the certificate in a separate .PEM file, copy the certificate to a new text file and add "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" before and after the certificate.
This setting can also be modified using the Ubisecure SSO Management API.