"The SAML response signature failed to verify." with two certificates

I get an error “The SAML response signature failed to verify.”

I have investigated the problem a bit and found the reason.
I import configuration from metadata file. This file contains two signing certificates. One is expiring soon, the other one is a new one. Both are valid at the same time

For some reason SAMLController.Configuration object contains only one certificate.
It contains only one PartnerIdentityProviderConfiguration object which has single property for certificate.

If if manually bind latest certificate than verification is successful.

How should I handle this case correctly?


The import metadata functionality has a limitation in that it only imports one certificate. This will be enhanced in a future release.
However, you can specify multiple partner certificates in your SAML configuration.
You can specify two partner certificates using the PartnerCertificateFile and SecondaryPartnerCertificateFile properties.
The SAML API will attempt to verify the signature using the PartnerCertificateFile.
If this fails and a SecondaryPartnerCertificateFile is specified, it attempts to verify the signature using the SecondaryPartnerCertificateFile.