You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Allow to register primary and secondary "Verification key" for SAML IDP
Problem
EntraID and ADFS allow a secondary certificate to be generated before the primary certificate expires, but continues to sign with the primary certificate for a certain period of time.
This allows applications to define 2 certificates (primary and secondary) and not be blocked when the IdP switches over to signing assertions.
Solution
If fusionauth allowed 2 “Verification keys” (primary and secondary) to be defined on a SAMLv2 IdP, this would avoid having to undergo the IdP assertion signature changeover.
Alternatives/workarounds
No workaround, we have to change the “verification key” when the SAMLv2 IdP changes the assertion signature.
This will stop authentication until the signature is changed.
Additional context
I think that there should have the same issue on other SAMLv2 IdP
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered:
@konvergence, thanks so much for submitting this issue! We have a large backlog of work so I can't commit to when we'll address this, but we really appreciate you submitting it.
Allow to register primary and secondary "Verification key" for SAML IDP
Problem
EntraID and ADFS allow a secondary certificate to be generated before the primary certificate expires, but continues to sign with the primary certificate for a certain period of time.
This allows applications to define 2 certificates (primary and secondary) and not be blocked when the IdP switches over to signing assertions.
Solution
If fusionauth allowed 2 “Verification keys” (primary and secondary) to be defined on a SAMLv2 IdP, this would avoid having to undergo the IdP assertion signature changeover.
Alternatives/workarounds
No workaround, we have to change the “verification key” when the SAMLv2 IdP changes the assertion signature.
This will stop authentication until the signature is changed.
Additional context
I think that there should have the same issue on other SAMLv2 IdP
Related
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
The text was updated successfully, but these errors were encountered: