The certificates under the relying party's Encryption and Signature property tabs are the service provider's certificates. The signature certificate is used by ADFS to verify signatures on SAML messages sent by your service provider (SP). The encryption certificate, if present, is used by ADFS to encrypt SAML assertions sent to your SP.
The token signing certificate under Service > Certificates is the certificate used by ADFS to sign messages it sends to SPs.
Your code shows you are using the SAML low-level API. I presume you have an assertion consumer service endpoint where you receive and process SAML responses from identity providers such as ADFS. As part of this processing, you should be verifying the signature on the SAML assertion or SAML response. You use the ADFS token signing certificate to verify these signatures.
Make sure to update your code to use the new certificate for signature verification once it comes into effect.
If you were using the SAML high-level API, it would be a matter of simply updating the SAML configuration (eg saml.config file) to include the new certificate. The high-level API would attempt to verify signatures using the old certificate, and if that doesn't work, the new certificate. This makes certificate rollover more straightforward.
Regards ComponentSpace Development
|