Support Multiple Certificates #17
Comments
|
We have also encountered this issue as a Service Provider. One of our Identity Providers is undergoing certificate rollover. Their IDP metadata contains an encryption certificate and two signing certificates. In our case, the old deprecated certificate occurs first and the new current certificate is happily ignored by the library. This comment and accompanying line of code is where the selection occurs: https://github.com/lastpass/saml-sdk-java/blob/master/src/main/java/com/lastpass/saml/IdPConfig.java#L153 |
|
This can be fixed fetching all the signing certificates in IdPConfig.java Then try validating the signature in SAMLClient.java using multiple signing certificates. And if signature validation is not successful using any of the certificates then return error with ValidationException. Committed the fix to forked https://github.com/msuppahiya/saml-sdk-java Proposed Solution References- |
Hi there!
It seems that when the Auto Certificate Rollover feature within ADFS is enabled the SAML Metadata returns multiple signing certificates.
Check out Azure's policy for signing key rollover:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover
Are you guys going to support this in IdpConfig.java?
(or is it already supported and am I doing something wrong here?)
The text was updated successfully, but these errors were encountered: