Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-1059

Support multiple "signing" certificates in idp.xml

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 9.5.4
    • Fix Version/s: None
    • Component/s: SAML
    • Labels:
      None
    • Support Ticket IDs:

      Description

      We have several applications which connect to AD FS using Fedlet, i.e., the opensso/fedlet/Fedlet-unconfigured.zip file in the OpenAM delivery. AD FS supports multiple signing certificates.

      We observe that if we use the FederationMetadata.xml from AD FS (well, actually, only the <IDPSSODescriptor> part) as idp.xml file, then Fedlet will use only the first <KeyDescriptor use="signing">, and completely ignore the others. This is especially inconvenient if this first <KeyDescriptor> is a 'secondary' AD FS token-signing certificate, meaning that another of the certificates is actually used for signing tokens: this makes the signature verification always fail. (The only workaround is manual editing of the idp.xml file.)

      This JIRA issue is a request to support multiple "signing" certificates in idp.xml.


      Looking at the code, it looks like both com.sun.identity.saml2.key.KeyUtil.getKeyDescriptor() methods (see here and here) stop looking when they found the first <KeyDescriptor> with the correct use.

      Also, this note in SAML2MetaSecurityUtils suggests that the support of one signing certificate is intentional.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                marnix.klooster marnix.klooster
              • Votes:
                3 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: