I have a question about certificates generated in metadata (my SP). Our IdP says that when I change the certificate, I can publish it in metadata, for example. 20 days ago as a secondary. How IdP can download this, establish trust and than (for example, 5 days before the expiration date), my SP switch from secondary to primary.
Can I install any certificate as secondary? How can i do this?
I think its a fairly common certificate change problem, but I did not find such information about the certificate hierarchy in the metadata.
We use spring security saml v1.0.1
Thanks!
EDIT
I added another property to my extended dataset and added another KeyDescriptor to spDescriptor and then it works - it generates metadata with two certificates using useType SIGNING and an ADFS server that can load it. Please note that you cannot have multiple encryption keys in metadata (if you work with ADFS - I do not know the case with any other IdP)
But a new question arose. I need to sign my metadata, and I found that if the property is named
`<property name="signingKey" value="alias"/>`
is empty (the certificate is old, and I do not want to use it), metadata is not signed. Can I use my custom property like
<property name="signingKeySecondary" value="alias2" />
to sign metadata?
source share