Certificate questions

I have a couple of questions regarding certificates (assuming latest version of the SAML v2.0 .NET library).

1) Regarding the concept of secondary and tertiary certificates. I understand how they work for say, the IdP, but how do things work for the local SP? Does it use the secondary (and subsequently the tertiary) to sign the AuthnRequest if the primary certificate is null or has expired?

2) Is it possible to obtain the IdP’s certificate during a SAML request somehow? I’d like to be able to something like SAMLServiceProvider.ReceiveSSO(…, out samlRequest). This would allow me to obtain the embedded certificate from some kind of SAML request object (cert and other elements would be available) and store it in the DB, update the SAMLConfiguration for the IdP to use the said certificate and set UseEmbeddedCertificate to false. Thereby, automating the initial onboarding of new IdPs so that certificates are locked in after first use and setup.

  1. We always use the primary certificate for signature generation. We don’t check whether the certificate has expired etc. The secondary and tertiary certificates are only used when decrypting the SAML assertion. If decryption fails with the primary certificate, we try the secondary and then tertiary certificates.

    2. We don’t support this. I would have some security concerns with this approach. If certificates are supplied out-of-band in a secure and controlled manner, you can have more confidence in their origin. Embedded certificates aren’t always included with the signature but if they are we don’t recommend using them as you can’t be sure of their origin. Of course, if the certificate is issued by a certificate authority this is less of an issue but many partner providers use self-signed certificates so this can’t be used as a general approach.