[OPENAM-1059] Support multiple "signing" certificates in idp.xml Created: 17/Jan/12  Updated: 20/Nov/16  Resolved: 10/Sep/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 9.5.4
Fix Version/s: None

Type: Bug Priority: Major
Reporter: marnix.klooster Assignee: Peter Major [X] (Inactive)
Resolution: Duplicate Votes: 3
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
duplicates OPENAM-3493 Update SAML to support multiple keys ... Resolved
Support Ticket IDs:


We have several applications which connect to AD FS using Fedlet, i.e., the opensso/fedlet/Fedlet-unconfigured.zip file in the OpenAM delivery. AD FS supports multiple signing certificates.

We observe that if we use the FederationMetadata.xml from AD FS (well, actually, only the <IDPSSODescriptor> part) as idp.xml file, then Fedlet will use only the first <KeyDescriptor use="signing">, and completely ignore the others. This is especially inconvenient if this first <KeyDescriptor> is a 'secondary' AD FS token-signing certificate, meaning that another of the certificates is actually used for signing tokens: this makes the signature verification always fail. (The only workaround is manual editing of the idp.xml file.)

This JIRA issue is a request to support multiple "signing" certificates in idp.xml.

Looking at the code, it looks like both com.sun.identity.saml2.key.KeyUtil.getKeyDescriptor() methods (see here and here) stop looking when they found the first <KeyDescriptor> with the correct use.

Also, this note in SAML2MetaSecurityUtils suggests that the support of one signing certificate is intentional.

Comment by marnix.klooster [ 18/Jan/12 ]

We are thinking about working on this issue ourselves, and submitting a patch. Apart from the general description of the development process, is there any additional info about this specific topic: what was the background behind supporting a single signing certificate? what do we need to look out for? where can we add unit tests? given that we only use Fedlet with AD FS, how can we test our code changes in other scenarios?

Thanks for any help you can provide!

Comment by marnix.klooster [ 20/Feb/12 ]

Does the silence mean that nobody is reading this? Or that I'm better off posting on the mailing list? Or that we're the only one who use Fedlet with AD FS and want automatic certificate rollover to just work?

Comment by Peter Major [X] (Inactive) [ 20/Feb/12 ]

You could try to post these things on the openam-dev list, but unfortunately most of your questions are hard to answer.

Comment by Peter Major [X] (Inactive) [ 10/Sep/15 ]

OPENAM-3493 appears to provide a bit more generic description of this problem, resolving this as duplicate.

Comment by Zaeher RACHID [ 11/Dec/15 ]


Could you tell me if the support of multiple certificate in metadata will be available for IDP's and SP's ? And not only in fedlet but also within openam server ?

Thanks for clarification


Generated at Tue Nov 24 21:25:23 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.