This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 49%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELG%3C/text%3E%3C/svg%3E)
I am using Spring security https://docs.spring.io/spring-security/reference/5.7/servlet/saml2/logout.html for implementing SAML single logout. I got my single logout flow to work by providing a dummy set or private and public key since it requires me to sign my logoutrequest but it looks like Azure depends on the metadata for getting the certificate for verifying the loquestrequest. Since signing requires providing a private key how can I get the private key generated by Azure? This https://video2.skills-academy.com/en-us/answers/questions/1347153/singlelogout provided some insights as to where it checks for the certificate but not a way to overcome disabling of logoutrequest signing. Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Lee G
Thank you for posting your query on Q&A.
I understand that you would like to know how you can get the private key generated by Azure.
The private key associated with the certificate used for signing is not generated by Azure and cannot be downloaded from Azure, because the Service Provider (SP) holds its own public-private key pair.
The private key is typically stored in your service provider (SP) application and is used to sign a SAML Request to the Identity Provider (IdP).
The Identity Provider only requires the Service Provider’s public key certificate. This public certificate is used by Azure AD to verify the signatures of the SAML requests it receives. You need to generate and manage the private key on your own and it should be securely stored on your infrastructure.
I hope this information helps! please Feel free to ask any questions you may have.
https://video2.skills-academy.com/en-us/entra/identity/enterprise-apps/certificate-signing-options
https://stackoverflow.com/questions/56938997/saml-certificate-private-key
https://stackoverflow.com/questions/60424527/saml-private-and-public-key-sharing
Thanks,
Akhilesh.
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Thank you the quick reply. I wanted more clarification, I have my private and public key stored in the SP application end. As per SAML2 logout docs:
Saml2LogoutRequestResolver to create, sign, and serialize a <saml2:LogoutRequest> based on the RelyingPartyRegistration associated with the currently logged-in user.RelyingPartyRegistration<saml2:LogoutResponse> sent by the asserting partyIt looks like I want to sign only the loqoutRequest and get the logoutResponse based on SP application key similar to OKTA. In OKTA I was able to upload the certificate used for loqout as mentioned in the stackoverflow link so does Azure have something similar that does not sign authentication request but only the logout piece?
Thanks once again.