My trading partner uses software that requires that the certificate is provided in the metadata or as a separate file.
Typical error messages include (examples shown from ADFS2)
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0037: No signature verification certificate found for issuer
or
The signing credentials cannot be resovled because signed XML does not contain a SecurityKeyIdentifier.
Step-by-step guide
By default, the Ubisecure SSO metadata contains only the public key. To enable publishing of the certificate:
- Edit ubilogin-sso/ubilogin/webapps/uas/WEB-INF/uas.properties
Add the following lines
# saml interoperability features
com.ubisecure.ubilogin.uas.saml2.compatibility = MetadataCertificate
Execute ubilogin-sso/ubilogin/config/tomcat/update.cmd
The certificate is now available in the SAML 2.0 metadata (The link is visible on the Ubisecure SSO Management main page)
If the trading partner requires the certificate in a separate .PEM file, copy the certificate to a new file and add "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" before and after the certificate.
Please note that this change is lost during system upgrades. Record this customization in your system documentation and re-apply during the upgrade process as described in the Ubisecure SSO Installation and Upgrade document.
Related articles