[OPENAM-1059] Support multiple "signing" certificates in idp.xml Created: 17/Jan/12 Updated: 20/Nov/16 Resolved: 10/Sep/15
|Reporter:||marnix.klooster||Assignee:||Peter Major [X] (Inactive)|
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Support Ticket IDs:|
We have several applications which connect to AD FS using Fedlet, i.e., the opensso/fedlet/Fedlet-unconfigured.zip file in the OpenAM delivery. AD FS supports multiple signing certificates.
We observe that if we use the FederationMetadata.xml from AD FS (well, actually, only the <IDPSSODescriptor> part) as idp.xml file, then Fedlet will use only the first <KeyDescriptor use="signing">, and completely ignore the others. This is especially inconvenient if this first <KeyDescriptor> is a 'secondary' AD FS token-signing certificate, meaning that another of the certificates is actually used for signing tokens: this makes the signature verification always fail. (The only workaround is manual editing of the idp.xml file.)
This JIRA issue is a request to support multiple "signing" certificates in idp.xml.
Also, this note in SAML2MetaSecurityUtils suggests that the support of one signing certificate is intentional.
|Comment by marnix.klooster [ 18/Jan/12 ]|
We are thinking about working on this issue ourselves, and submitting a patch. Apart from the general description of the development process, is there any additional info about this specific topic: what was the background behind supporting a single signing certificate? what do we need to look out for? where can we add unit tests? given that we only use Fedlet with AD FS, how can we test our code changes in other scenarios?
Thanks for any help you can provide!
|Comment by marnix.klooster [ 20/Feb/12 ]|
Does the silence mean that nobody is reading this? Or that I'm better off posting on the mailing list? Or that we're the only one who use Fedlet with AD FS and want automatic certificate rollover to just work?
|Comment by Peter Major [X] (Inactive) [ 20/Feb/12 ]|
You could try to post these things on the openam-dev list, but unfortunately most of your questions are hard to answer.
|Comment by Peter Major [X] (Inactive) [ 10/Sep/15 ]|
|Comment by Zaeher RACHID [ 11/Dec/15 ]|
Could you tell me if the support of multiple certificate in metadata will be available for IDP's and SP's ? And not only in fedlet but also within openam server ?
Thanks for clarification