Our login site providers SSO for some of the applications we are developing. We also support the use of Third party IdPs (eg. AD FS) to allow the users to login using their AD. There the login site acts as the SP and AD FS acts as the IdP. In our FederationMetadata.xml file which we provide to integrate with the AD FS, we have a section with 2 sections for encryption and signing. We have the same public key for Encryption and Signing. The metadata looks like this.
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
#### Old Certificate ####
<KeyInfo xmlns=”“>http://www.w3.org/2000/09/xmldsig#”>
#### Old Certificate ####
…
The certificate we use is near expiration and we need to add a new certificate so that the AD FS can continue to support the integration with us. for that we have to add another signing and encryption certificate. (again we use the same public key for both signing and encryption for the new certificate as well.) to do that, i have modified the FedetationMetadata.xml to include the new certificates.
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
#### Old Certificate ####
<KeyDescriptor use=”encryption“>
<KeyInfo xmlns=”“>http://www.w3.org/2000/09/xmldsig#”>
#### New Certificate ####
<KeyInfo xmlns=“”>http://www.w3.org/2000/09/xmldsig#“>
#### Old Certificate ####X509Certificate>
<KeyInfo xmlns=”“>http://www.w3.org/2000/09/xmldsig#”>
#### New Certificate ####
…
But when i try to create the Relying Party Trust with the AD FS by uploading the metadata file it shows the following error.
I’ve tried with having only 2 Singing certificates and it works, Then i tried with having 2 signing certificates and one encryption certificate and it works too. This occurs only when i have 2 singing and 2 encryption certificates. So my question is how can i include the 2 encryption certificates as well (old and new) in the FederationMetadata.xml file.
I don’t think you can.
Having multiple signing certificates is fine because ADFS can try each one when attempting to verify a signature.
If there are multiple encryption certificates it won’t know which one to use when encrypting the SAML assertion.
It could use the first valid unexpired encryption certificate but I don’t think ADFS works like that.
[quote][/quote]
I don't think you can.
Having multiple signing certificates is fine because ADFS can try each one when attempting to verify a signature.
If there are multiple encryption certificates it won't know which one to use when encrypting the SAML assertion.
It could use the first valid unexpired encryption certificate but I don't think ADFS works like that.
Having multiple signing certificates is fine because ADFS can try each one when attempting to verify a signature.
If there are multiple encryption certificates it won't know which one to use when encrypting the SAML assertion.
It could use the first valid unexpired encryption certificate but I don't think ADFS works like that.
Thanks a lot for the clarification. :)
You’re welcome.