SAMLv2 Identity provider can not sign request when I "Import RSA key Pair" with Certificat as public and private key

[konvergence]

SAMLv2 Identity provider can not sign request when I "Import RSA key Pair" with Certificat as public and private key

Description

• When I "Import RSA key Pair" with public key and private key, fusionauth generate a certificate for 10 years and I can use it to sign SAML request as Request signing key
• when I "Import RSA key Pair" with Certificat (as public key) and private key, fusionauth recognize well the certificat, But I can not see it into the listbox Request signing key to sign SAML request

Affects versions

fusionauth 1.36.4

Steps to reproduce

Steps to reproduce the behavior:

1. Go to 'Key Master'
2. Click on 'Import RSA key Pair' : MyAuthrorityCert
3. Put certificat as public key

   -----BEGIN CERTIFICATE-----
   ...
   -----END CERTIFICATE-----

4. Put private key

   -----BEGIN RSA PRIVATE KEY-----
   ...
   -----END RSA PRIVATE KEY-----

5. Goto Identity Provider
6. Select option
7. Enable Sign Request
8. Can not see MyAuthrorityCert into the listbox Request signing key

documentation

• into https://fusionauth.io/docs/v1/tech/core-concepts/key-master#import-rsa-key-pair
  • Public key REQUIRED : The PEM encoded public key to import.
• into https://fusionauth.io/docs/v1/tech/apis/keys#import-a-key
  • key.publicKey [String] OPTIONAL : The Key public key. Required if importing an RSA or EC key and a certificate is not provided.

[konvergence]

One more information : we I use the API key , i can correctly import create an RSA Key pair with certificat, publikey and privatekey. So it is a UI bug ? May be there is a way to add a Certificat input field ?

[mooreds]

@konvergence thanks for filing the issue. So to repeat back what you are saying so I understand:

• If you use a cert and private key to create an RSA key pair using the API, you can use that to sign the SAML request for an identity provider.
• if you use that same cert and private key to create an RSA key pair using the UI, you can't use that to sign a SAML request (it doesn't show up in the drop down)

Is that what is happening?

[konvergence]

Yes, absolutely !

When I use API to create "RSA Key Pair" I can use it as Request signing key into my SAML IdP configuration example

curl -v -X POST -L https://myfusion/api/key/import \
     -H 'Authorization: zzzzzzzzzzz' \
     -H 'Accept: application/json' \
     -H 'Content-Type: application/json' \
     -d '{
  "key": {
    "name": "my-cert-key"
    ,"type": "RSA"
    ,"algorithm": "RS256"
    ,"certificate": "-----BEGIN CERTIFICATE-----\n*****\n-----END CERTIFICATE-----"
    ,"publicKey": "-----BEGIN PUBLIC KEY-----\n****\n-----END PUBLIC KEY-----"
    ,"privateKey": "-----BEGIN RSA PRIVATE KEY-----\n***\n-----END RSA PRIVATE KEY-----"
  }
}'

When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey

• the Web UI well recognize the certifcate info
• if I export the key my-cert-key, I have only fingerprints.txt, public-key.pem and public-keys.pub. But not certificat.crt. and the public-key.pem contain the certificate PEM
• I can not see my-cert-key for Request signing key into my SAML IdP configuration

[mooreds]

Thank you for the details, @konvergence !

[robotdan]

I think this is working as design. In order to sign a SAML request or response FusionAuth requires a certificate. If all we end up with is a public a private key - this is not adequate to build a SAML signature.

[konvergence]

@robotdan ,

The issue is that I when I use the UI to import a certificate with this privatekey , I can't use it to sign SAML request. The UI does not extract the public key from the certificate and treats the certificate as a public key.

With API, I import a key with certificate, publickey and privatekey, and the key can be use to sign SAMLrequest

[robotdan]

Maybe I have mis-understood.

When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey

This sounds like you are not importing the certificate as a cert - but as a public key? Is that correct? If that is the case, I would expect the behavior you're seeing. Maybe we are just missing an option to import a cert + private key pair?

When you say you use the API it works, can you provide more details on how you are calling the API?

[konvergence]

@robotdan

You right, there is no options on Web UI to import a cert + private key pair. The details of API calls are here : https://github.com/FusionAuth/fusionauth-issues/issues/1805#issuecomment-1205383819

[robotdan]

Internal:

• https://github.com/FusionAuth/fusionauth-app/pull/175