Skip Navigation
Expand
Using multiple certificates for Customer Portal SSO
Answer ID 11049   |   Last Review Date 12/21/2022

Can I use separate certificates for each interface with my customer portal SSO implementation?

Environment:

  • Oracle B2C Service - all releases
  • Identity provider-initiated single sign-on
  • Azure AD, AD FS, or other identity provider

Issue:

An administrator is implementing single sign-on (SSO) for contacts on multiple Customer Portal interfaces of the same Oracle B2C Service site. They have a business need for the SAML assertions to use different X.509 signing certificates for various interfaces.

Resolution:

  1. Add each respective certificate's fingerprint to the SAML_20_SIGN_CERTS configuration setting on the correct interface(s). This configuration setting is interface-specific. Information on obtaining the SHA-1 fingerprint to use in this field can be found in Answer 9992: Validating and reviewing the properties of the signing certificate for SSO
  2. If you are using an identity provider by Microsoft (Azure AD or ADFS), review the following section. Regardless of your IdP, if existing agent or contact login via SSO broke immediately when you uploaded a certificate for contact authentication, this section is also for you.
    • If you upload two or more certificates with the same issuer and a different public key, none of them will be trusted by the trust store.
    • You must configure the system to check the signing certificate only against those that you have uploaded, and to disregard the wider trust store (and this conflict).
    • Put the following at the beginning of the SAML_20_SIGN_CERTS configuration setting, before any SHA-1 fingerprint(s):
      CERT_VALIDATION:IGNORE_TRUST,
    • When you are done, SAML_20_SIGN_CERTS configuration setting might look like this:
      CERT_VALIDATION:IGNORE_TRUST,06767A1E3D41A358A8BCA912F36C0E3C5425CD4F
    • Or it might look like this (all on one line):
      CERT_VALIDATION:IGNORE_TRUST,06767A1E3D41A358A8BCA912F36C0E3C5425CD4F,B7C5D22D2AEE2E151ED6D16DA3D6F4EEC7D08676
    • The documentation page "Define Single Sign-on Configuration Settings" explains this setting. To access Oracle B2C Service manuals and documentation online, refer to the Documentation for Oracle B2C Service Products.
    • This is analogous to checking the "Do not verify trust chain" checkbox when configuring agent SSO.
    • If your end-user assertion signing certificate(s) conflict with one you are using for an IdP-initiated agent login flow, go check that box for the agent certificate in Single Sign-On Configurations as well.
  3. Upload all the certificates to the "Additional Root Certificates" directory in File Manager. This is a site-wide certificate store; you do not need to access it from each interface. See Answer 9991: Mandatory requirements for all SSO implementations