Jump to content
Welcome to our new Citrix community!
  • 0

Citrix support about SAML - Is the trust relationship based only on SHA1 hash?

Simon Bläsi



We have Citrix Storefront 1912 LTSR CU1 installed. SAML Authentication is configured.


By configuring the IdentityProvider for SAML Authentication, the signing certificate can be uploaded in the Reciever -> Manage authentication Methods -> SAML Identityprovider configuration.

The uploaded certificate cannot be found in the windows certificate store. The thumbprint of the uploaded certificate can be seen under the AuthenticationService’s AuthenticationSettings.samlForms.SamlSettings.IdentityProvider.SigningCertificates configuration.


The thumbprint of the certificate is calculated using SHA1 hash. I would like to ask if the trust relationship is based only on that SHA1 hash? Is the signing certificate of the identityprovider validated by comparing the signing certificate’s thumbprint with the stored thumbprint value?


Any feedback is welcome. Thanks!

Link to comment

3 answers to this question

Recommended Posts

  • 0

SAML uses the Public Key from the IdP cert to compute the hash of the SAML Assertion and then compare it to the signature hash that the IdP included in the SAML Assertion. If the two don't match, then the SAML Assertion is rejected. StoreFront uses the certificate thumbprint to identify the IdP cert whose public key should be used to verify the SAML Assertion's signature.

Link to comment
  • 0

Thanks a lot! Just to be sure, is the IdP certificate public key stored by Citrix Storefront or only its Thumbprint value? My question is, if the saved thumbprint value is used to identify the certificate from the Storefront local certificate store or the thumbprint is used to select the certificate and its public key coming with the SAML response?

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...