Hi, I am aware that some IDPs include both encryption and signing certificates in their metadata. Reading another post on this forum I understood that we must use the signing certificate. All good. However... Looking at the Microsoft Azure AD metadata, I've noticed they define 3 (three) such signing certificates. For some reason, pasting some xml here breaks the editor, but you can access the metadata at the following URL: https://login.microsoftonline.com/common/FederationMetadata/2007-06/FederationMetadata.xmlOn their support pages, they mention that the SPs must try to validate the signatures against all the signing certificates from their metadata file. This is supposed to allow gracefully changing certificates. This is also consistent with some other info I've found on other sites, like stackoverflow.com. This is the URL where they are making the statement, under "Token signing certificates" section: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-federation-metadataMy question is: How do we support such IDPs, since the configuration allows only for a single certificate for a partner identity provider? Windows Server AD FS also easily allows configuring multiple certificates for signing. Is there a more recent version that supports this scenario? We are currently using SAML v2.0 for .NET4 version 2.6.0.13 (based on the info in the assembly). Kindly assist, Thank you!
|