Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to register primary and secondary "Verification key" for SAML IDP #2921

Open
konvergence opened this issue Nov 13, 2024 · 3 comments
Open
Labels
enhancement New feature or request

Comments

@konvergence
Copy link

konvergence commented Nov 13, 2024

Allow to register primary and secondary "Verification key" for SAML IDP

Problem

EntraID and ADFS allow a secondary certificate to be generated before the primary certificate expires, but continues to sign with the primary certificate for a certain period of time.
This allows applications to define 2 certificates (primary and secondary) and not be blocked when the IdP switches over to signing assertions.

Solution

If fusionauth allowed 2 “Verification keys” (primary and secondary) to be defined on a SAMLv2 IdP, this would avoid having to undergo the IdP assertion signature changeover.

Alternatives/workarounds

No workaround, we have to change the “verification key” when the SAMLv2 IdP changes the assertion signature.
This will stop authentication until the signature is changed.

Additional context

I think that there should have the same issue on other SAMLv2 IdP

Related

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

@mooreds
Copy link
Collaborator

mooreds commented Nov 18, 2024

@konvergence, thanks so much for submitting this issue! We have a large backlog of work so I can't commit to when we'll address this, but we really appreciate you submitting it.

@konvergence
Copy link
Author

Perhaps if we could define a verification key made up of the 2 certificates, this would limit the impact?

@mooreds
Copy link
Collaborator

mooreds commented Nov 19, 2024

I haven't looked at the code or tests so I'm not sure of the implementation details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants