Support Multiple Certificates

[joaovarandas]

Hi there!

It seems that when the Auto Certificate Rollover feature within ADFS is enabled the SAML Metadata returns multiple signing certificates.

Check out Azure's policy for signing key rollover:
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-signing-key-rollover

Are you guys going to support this in IdpConfig.java?
(or is it already supported and am I doing something wrong here?)

[ron-premier]

We have also encountered this issue as a Service Provider. One of our Identity Providers is undergoing certificate rollover. Their IDP metadata contains an encryption certificate and two signing certificates. In our case, the old deprecated certificate occurs first and the new current certificate is happily ignored by the library. This comment and accompanying line of code is where the selection occurs: https://github.com/lastpass/saml-sdk-java/blob/master/src/main/java/com/lastpass/saml/IdPConfig.java#L153

[msuppahiya]

@ron-premier
@joaovarandas

This can be fixed fetching all the signing certificates in IdPConfig.java

Then try validating the signature in SAMLClient.java using multiple signing certificates.

And if signature validation is not successful using any of the certificates then return error with ValidationException.

Committed the fix to forked https://github.com/msuppahiya/saml-sdk-java

Proposed Solution References-
https://stackoverflow.com/questions/35909251/saml2-metadata-multiple-signing-certificates

https://jorgequestforknowledge.wordpress.com/2020/07/08/federation-metadata-from-adfs-adjusted-to-support-broken-applications/