I'm looking at a SAML IdP's metadata and it lists three unique certificates - 2 signing and 1 encryption.
...
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
...
I understand why it lists a signing and encryption certificate, but how do I determine which signing certificate to use in my service provider? Why are there two signing certificates at all?
Thanks in advance!
When the IDP is changing it's signing certificates it first publishes the new certificate in parallell with the old certificate in the metadata. When the idp actually switches over to using the new certificate, all SPs must know of the new certificate, or they will not be able to validate the signatures.
As an SP you have no idea of where in the process the IDP is, so you have to check if the signature validates to any of the two listed certificates.
Another reason you might (always) see two is that you might have one coming from a backchannel certificate (eg. credentials/idp-backchannel.crt and credentials/idp-signing.crt)
I think there are many SPs that don't really know what to do there. If you don't need backchannel, you might consider removing it (or at least not handing it to people in your curated metadata).
The annoying (really annoying) thing in my experience is that all three are separate certificates about the same thing (at least in my case), and all three are valid at the same time (this will surely lead to difficulties).
As per https://wiki.shibboleth.net/confluence/display/IDP30/Installation :
The installation process will suggest or generate the following information for you:
(begin quote)
(end quote)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With