Closed konvergence closed 1 year ago
One more information : we I use the API key , i can correctly import create an RSA Key pair with certificat, publikey and privatekey. So it is a UI bug ? May be there is a way to add a Certificat input field ?
@konvergence thanks for filing the issue. So to repeat back what you are saying so I understand:
Is that what is happening?
Yes, absolutely !
When I use API to create "RSA Key Pair" I can use it as Request signing key into my SAML IdP configuration example
curl -v -X POST -L https://myfusion/api/key/import \
-H 'Authorization: zzzzzzzzzzz' \
-H 'Accept: application/json' \
-H 'Content-Type: application/json' \
-d '{
"key": {
"name": "my-cert-key"
,"type": "RSA"
,"algorithm": "RS256"
,"certificate": "-----BEGIN CERTIFICATE-----\n*****\n-----END CERTIFICATE-----"
,"publicKey": "-----BEGIN PUBLIC KEY-----\n****\n-----END PUBLIC KEY-----"
,"privateKey": "-----BEGIN RSA PRIVATE KEY-----\n***\n-----END RSA PRIVATE KEY-----"
}
}'
When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey
Thank you for the details, @konvergence !
I think this is working as design. In order to sign a SAML request or response FusionAuth requires a certificate. If all we end up with is a public a private key - this is not adequate to build a SAML signature.
@robotdan ,
The issue is that I when I use the UI to import a certificate with this privatekey , I can't use it to sign SAML request. The UI does not extract the public key from the certificate and treats the certificate as a public key.
With API, I import a key with certificate, publickey and privatekey, and the key can be use to sign SAMLrequest
Maybe I have mis-understood.
When I use web UI to import "RSA Key Pair" my-cert-key , I copy certificate as publicKey then privatekey
This sounds like you are not importing the certificate as a cert - but as a public key? Is that correct? If that is the case, I would expect the behavior you're seeing. Maybe we are just missing an option to import a cert + private key pair?
When you say you use the API it works, can you provide more details on how you are calling the API?
@robotdan
You right, there is no options on Web UI to import a cert + private key pair. The details of API calls are here : https://github.com/FusionAuth/fusionauth-issues/issues/1805#issuecomment-1205383819
SAMLv2 Identity provider can not sign request when I "Import RSA key Pair" with Certificat as public and private key
Description
Affects versions
fusionauth 1.36.4
Steps to reproduce
Steps to reproduce the behavior:
documentation