Azure AD SAML身份验证签名证书更改 [英] Azure AD SAML authentication signing certificate change
问题描述
我们将Azure AD用于SAML身份验证过程.使用Microsoft在此处发布的联合元数据将Azure设置为信任提供者:
We uses Azure AD for the SAML Authentication process. Azure is set up as the trust provider using the Federated Metadata that is published by Microsoft here: https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xml, we configure X509Certificate value in our system to validate the trust so to authenticate the login. We observe the signing certificate changes, that incurs to the change in the certificate value in turns leads to login issues on our system.
是否有解决此问题的线索?预先感谢.
Any clue to fix this? Thanks in advance.
推荐答案
您是对的.Azure对此进行了更改.它称为签名密钥翻转.确实会影响您的应用程序.
You're right.This is changed by Azure. It's called Signing key rollover. It will affect your application indeed.
出于安全目的,Azure AD的签名密钥定期发布基础,并且在紧急情况下可以延期立即地.与Azure AD集成的任何应用程序都应为准备处理密钥翻转事件,无论它多么频繁可能发生.如果不是,则您的应用程序尝试使用过期密钥以验证令牌上的签名,登录请求将失败.
For security purposes, Azure AD’s signing key rolls on a periodic basis and, in the case of an emergency, could be rolled over immediately. Any application that integrates with Azure AD should be prepared to handle a key rollover event no matter how frequently it may occur. If it doesn’t, and your application attempts to use an expired key to verify the signature on a token, the sign-in request will fail.
如何解决此问题:
我了解您的意思以及原因.但是目前, Azure没有有关此签名密钥过渡的通知.我也遇到了这个问题.因此,最好的解决方法是使我的应用程序通过代码自动处理密钥翻转.这里有一些
I understand what you mean and why. But currently, Azure doesn't have notification for this signing key rollover. I also came across this issue. Acutlly, the best resolved method is make my application to handle key rollover automatically by code.Here is some examples.
否则,如果您的应用程序不支持自动翻转,则需要编写脚本来监控链轮.
Otherwise, you need to write scripts to monitor the chagnes if your application does not support automatic rollover .This GitHub repository contains scripts and instructions on how to do this.
我已将此问题报告给Azure PG团队.
I have reported this issue to the Azure PG Team.
希望这会有所帮助!
这篇关于Azure AD SAML身份验证签名证书更改的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
