Multiple Client Certificates?

Jan 12, 2015 at 5:32 PM
Can the SAML2 client support multiple Public certificates?

Multiple certs allow installation of a renewed public cert prior to update of the private cert and avoids an outage during Cert renewal. I have searched the docs, but didn't seem to find anything.


Mar 18, 2015 at 5:53 PM
No, this library does not support multiple<signingCertificate> elements. Certificate expiration would require a coordinated effort by BOTH sides, as the public key hand off needs to be facilitated.

Now, if your IdP is smart enough to support the SAML Metadata endpoints, there's some options here.

First, this library DOES have an HTTP module for automatically downloading IdP metadata from their metadata endpoints if you set it up (See documentation). This would handle the IdP certificate updates, with the caveat that you would need to restart your application real quick.

The other direction though is a bit different, and would depend on the IdP implementation. This library does expose a Metadata endpoint where an IdP could do something very similar in reverse, if it supported it. That would allow you to just update your side, and it could pick up the new metadata, etc...

But in practice, this is just a manual process. Automatic public key updates could be frowned upon for various reasons (It makes it easier for someone to silently replace your certificate with their own, etc.).