Azure-docs: Add a custom signing key don't working anymore

Created on 6 Jul 2020 · 7Comments · Source: MicrosoftDocs/azure-docs

Microsoft Example code: Show on docs

PATCH https://graph.microsoft.com/v1.0/servicePrincipals/f47a6776-bca7-4f2e-bc6c-eec59d058e3e

Content-type: servicePrincipals/json

{
    "keyCredentials":[
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "AsymmetricX509Cert",
            "usage": "Sign",
            "key":"MIIKIAIBAz.....HBgUrDgMCERE20nuTptI9MEFCh2Ih2jaaLZBZGeZBRFVNXeZmAAgIH0A==",
            "displayName": "CN=awsAPI"
        },
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "e35a7d11-fef0-49ad-9f3e-aacbe0a42c42",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": "MIIDJzCCAg+gAw......CTxQvJ/zN3bafeesMSueR83hlCSyg==",
            "displayName": "CN=awsAPI"
        }

    ],
    "passwordCredentials": [
        {
            "customKeyIdentifier": "lY85bR8r6yWTW6jnciNEONwlVhDyiQjdVLgPDnkI5mA=",
            "keyId": "4c266507-3e74-4b91-aeba-18a25b450f6e",
            "endDateTime": "2022-01-27T19:40:33Z",
            "startDateTime": "2020-04-20T19:40:33Z",
            "secretText": "61891f4ee44d"
        }
    ]
}

Microsoft Documentation: Show on docs

Using PATCH to set passwordCredential is not supported. Use the addPassword and removePassword methods to update the password for a servicePrincipal.

Why create Microsoft a documenation that no longer matches the API calls?

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

ID: aa04cf91-e1eb-5b59-f85f-1cb46a08f40b
Version Independent ID: a4aff3ba-9c3f-71c5-bf8b-a4101b94b073
Content: Use Microsoft Graph APIs to configure SAML-based single sign-on - Azure Active Directory
Content Source: articles/active-directory/manage-apps/application-saml-sso-configure-api.md
Service: active-directory
Sub-service: app-mgmt
GitHub Login: @kenwith
Microsoft Alias: kenwith

Pri2 active-directorsvc app-mgmsubsvc assigned-to-author doc-enhancement triaged

Source

zandercodes

Most helpful comment

You can PATCH passwordCredentials with keyCredentials where usage="Sign" if the keyId for the keyCredential used for "Sign" matches the keyId of the passwordCredential.

What is the error that you're getting?

luleonpla on 11 Jul 2020

👍3

All 7 comments

@zandercodes
Thanks for your feedback! We will investigate and update as appropriate.

MarileeTurscak-MSFT on 6 Jul 2020

3 days later and nothing has happened.
Why?

zandercodes on 9 Jul 2020

I am currently seeing this issue as well. Along with that, if I remove the prescribed passwordCredentials field, and only include the keyCredentials I get a different error that doesn't seem to be correct:

Request

{
    "keyCredentials":[
        {
            "customKeyIdentifier": "N0Mz...Ao=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "d89b46f5-3230-4f50-af6c-24dd9b29b9b7",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "AsymmetricX509Cert",
            "usage": "Sign",
            "key":"MI...yClyjA==",
            "displayName": "CN=myApp"
        },
        {
            "customKeyIdentifier": "N0Mz...Ao=",
            "endDateTime": "2021-04-22T22:10:13Z",
            "keyId": "01f8461d-c17a-4cfd-b064-916e7b2dae25",
            "startDateTime": "2020-04-22T21:50:13Z",
            "type": "AsymmetricX509Cert",
            "usage": "Verify",
            "key": "MII...oPwg==",
            "displayName": "CN=myApp"
        }
    ]
}

Response

{
  "error": {
    "code": "Request_BadRequest",
    "message": "The value for the property \"usage\" in one of your credentials is invalid. Acceptable values are Sign, Verify.",
    "innerError": {
      "date": "2020-07-10T19:02:32",
      "request-id": "88c41afb-731d-4b5a-85cc-475435fdb1c5"
    }
  }
}

As you can see, the "usage" values are both correct based on the documentation and what the error message says, but it still doesn't consider them valid. Does this belong as part of this issue, or is it it's own issue?

tomdds on 10 Jul 2020

You can PATCH passwordCredentials with keyCredentials where usage="Sign" if the keyId for the keyCredential used for "Sign" matches the keyId of the passwordCredential.

What is the error that you're getting?

luleonpla on 11 Jul 2020

👍3

@luleonpla

You can PATCH passwordCredentials with keyCredentials where usage="Sign" if the keyId for the keyCredential used for "Sign" matches the keyId of the passwordCredential.

What is the error that you're getting?

Thank you, but here's what you need to remember.
The Microsoft documentation is really bad.

Microsoft GraphAPI Docs Service Principal Update

Using PATCH to set passwordCredential is not supported. Use the addPassword and removePassword methods to update the password for a servicePrincipal.

This is not true in this case, because you have to send the password when uploading the sign certificates.
The sign certificate must be exported as Pkcs12 with password and the verify as raw certificate.

KeyId form sign and password credantial muss be the same. Generate a Guid with Guid.NewGuid()
Please note that the password is valid as long as the certificate.

Example Code:

{
  "keyCredentials": [
    {
      "customKeyIdentifier": "SFZzR2JqcWJUVVZvdkxmUHRxdDdZajRnZVdZPQ==",
      "endDateTime": "2030-07-11T11:11:36+02:00",
      "keyId": "2d79c40c-a203-4582-b3d8-de12f01ce344",
      "startDateTime": "2020-07-12T11:11:36+02:00",
      "type": "AsymmetricX509Cert",
      "usage": "Sign",
      "key": "MIIJ4AIB...AgfQ",
      "displayName": "CN=awsAPI",
      "@odata.type": "microsoft.graph.keyCredential"
    },
    {
      "customKeyIdentifier": "SFZzR2JqcWJUVVZvdkxmUHRxdDdZajRnZVdZPQ==",
      "endDateTime": "2030-07-11T11:11:36+02:00",
      "keyId": "08e16011-36bf-4de3-9265-fb5a40a67784",
      "startDateTime": "2020-07-12T11:11:36+02:00",
      "type": "AsymmetricX509Cert",
      "usage": "Verify",
      "key": "MIIC3DCC...yg==",
      "displayName": "CN=awsAPI",
      "@odata.type": "microsoft.graph.keyCredential"
    }
  ],
  "passwordCredentials": [
    {
      "customKeyIdentifier": "SFZzR2JqcWJUVVZvdkxmUHRxdDdZajRnZVdZPQ==",
      "endDateTime": "2030-07-11T11:11:36+02:00",
      "keyId": "2d79c40c-a203-4582-b3d8-de12f01ce344",
      "startDateTime": "2020-07-12T11:11:36+02:00",
      "secretText": "_3D29...w_l1",
      "@odata.type": "microsoft.graph.passwordCredential"
    }
  ],
  "@odata.type": "microsoft.graph.servicePrincipal"
}

zandercodes on 13 Jul 2020

I added proof of concept reference code from the product team. It should be live soon. I also submitted several other PR's to address issues and add clarity.