No support for multiple valid certificates or dynamic certificates #236
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
In our organisation we roll the signing certificate for our ADFS servers every year. During the roll over period the server provides two certificates which may be valid, so when a SAML response is provided it is valid if it is signed with either of those signatures.
passport-saml has two issues handling this scenario:
It only handles one valid certificate which is used to check if a signature is valid. When a new certificate is issued it may be valid for a SAML response to be signed with either a new or old certificate.
It doesn't provide a mechanism to update the cert used to validate the signature in a SAML response. If the certificate used is dynamic and our service can fetch the new certificate there isn't a way update the certificate used.
I made a PR here #218 to address these issues a while ago but it hasn't received any traction.
The text was updated successfully, but these errors were encountered: