[OPENAM-3493] Update SAML to support multiple keys (key rollover) Created: 07/Jan/14  Updated: 18/Aug/19  Resolved: 22/Oct/15

Status: Resolved
Project: OpenAM
Component/s: SAML
Affects Version/s: 9.5.5, 10.0.2, 11.0.0
Fix Version/s: 13.0.0

Type: New Feature Priority: Minor
Reporter: Jonathan Thomas Assignee: Peter Major [X] (Inactive)
Resolution: Fixed Votes: 13
Labels: 12.0.4-Candidate, AME, CustomerRFE, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
is duplicated by OPENAM-1059 Support multiple "signing" certificat... Resolved
Target Version/s:
Epic Link: SAML Improvements
Support Ticket IDs:


Request from User:

The SAML metadata allows multiple KeyDescriptor elements in RoleDescriptor which should mean that both SPSSODescriptor and IDPSSODescriptor can support multiple encryption keys but it seems OpenAM only uses the first one.

This makes certificate renewals problematic as it means interruption of service to users unless we change the definition at our IdP at exactly the same time as SP updates their systems. If OpenAM would support multiple KeyDescriptors then things would just continue to work when the certificate gets switched.

Current Workaround: disable SP certificate verification on the IdP side.

Comment by Andy Hall [ 07/Apr/14 ]

This is something we would like to do but changes in this area would demand an extensive test cycle.

Comment by Peter Major [X] (Inactive) [ 22/Oct/15 ]

This is now resolved for 13.0.0 with AME-8212 (subject of merging in the SAML branch from the newton repo)

Comment by Peter Major [X] (Inactive) [ 22/Oct/15 ]

New features are quite unlikely to go into 11.0.x. As the corresponding changes are not necessarily complex in nature, there is a chance that this may make its way back to 12.0.3 though.
Please bear in mind, that the fix is all about supporting more than one certificate for signature validation, as well for decryption. Automatic/periodic metadata updates are not implemented (e.g. Shibboleth's MetadataProvider with reloadInterval or obeying validUntil/cacheDuration elements in SAML metadata XMLs).

Comment by Corey Puffalt [ 17/Mar/16 ]

Peter, was a decision made on backporting this enhancement to the 12.x series?

Ewald, can you share details on what your custom software is doing exactly to handle this? We're currently on 11.x and have this same problem.

Comment by Peter Major [X] (Inactive) [ 18/Mar/16 ]

This feature will be certainly not part of the 12.0.3 release (it's already beefy enough). It may be backported to 12.0.4 granted there is sufficient commercial demand for it (i.e. raise a support ticket if you'd like to have this in 12.0.4).

Comment by Ewald Wasscher [X] (Inactive) [ 20/Apr/16 ]


  • the reason for me not reacting is that I've been on holiday
  • we'll probably directly go from 11 to 13 later this year so a backport to 12 is of no need to us


  • I'll see if I can get our developer to share some details.
Generated at Tue Oct 27 00:08:41 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.