Using multiple certificates for Customer Portal SSO

Expand

Collapse

My Service Notifications

Advanced SearchOpens new dialog

Enter plus (+) or minus (-) signs in search terms to make a word required or excluded
Search Tips

Search terms

Screen Reader users press enter to select a Filter by product. Filter by product

Screen Reader users press enter to select a Filter by category. Filter by category

Sort by Direction

Answer ID 11049 | Last Review Date 11/22/2023

Can I use separate certificates for each interface with my customer portal SSO implementation?

Environment:

Oracle B2C Service - all releases
Identity provider-initiated single sign-on
Azure AD, AD FS, or other identity provider

Issue:

An administrator is implementing single sign-on (SSO) for contacts on multiple Customer Portal interfaces of the same Oracle B2C Service site. They have a business need for the SAML assertions to use different X.509 signing certificates for various interfaces.

Resolution:

Add each respective certificate's fingerprint to the SAML_20_SIGN_CERTS configuration setting on the correct interface(s). This configuration setting is interface-specific. Information on obtaining the SHA-1 fingerprint to use in this field can be found in Answer 9992: Validating and reviewing the properties of the signing certificate for SSO
If you are using an identity provider by Microsoft (Azure AD or ADFS), review the following section. Regardless of your IdP, if existing agent or contact login via SSO broke immediately when you uploaded a certificate for contact authentication, this section is also for you.
- If you upload two or more certificates with the same subject and a different public key, none of them will be trusted by the trust store.
- You must configure the system to check the signing certificate only against those that you have uploaded, and to disregard the wider trust store (and this conflict). Here is the documentation page.
- Put the following at the beginning of the SAML_20_SIGN_CERTS configuration setting, before any SHA-1 fingerprint(s):
  CERT_VALIDATION:IGNORE_TRUST,
- When you are done, SAML_20_SIGN_CERTS configuration setting might look like this:
  CERT_VALIDATION:IGNORE_TRUST,06767A1E3D41A358A8BCA912F36C0E3C5425CD4F
- Or it might look like this (all on one line):
  CERT_VALIDATION:IGNORE_TRUST,06767A1E3D41A358A8BCA912F36C0E3C5425CD4F,B7C5D22D2AEE2E151ED6D16DA3D6F4EEC7D08676
- This is analogous to checking the "Do not verify trust chain" checkbox when configuring agent SSO.
- If your end-user assertion signing certificate(s) conflict with one you are using for an IdP-initiated agent login flow, go check that box for the agent certificate in Single Sign-On Configurations as well.
Upload all the certificates to the "Additional Root Certificates" directory in File Manager. This is a site-wide certificate store; you do not need to access it from each interface. See Answer 9991: Mandatory requirements for all SSO implementations

Loading...

Login

Can I use separate certificates for each interface with my customer portal SSO implementation?

Was this answer helpful?

Still have questions?

Related Answers

Login