OpenSAML and XML signatures: Handling intermediate certificates - how?

Graham Leggett minfrin at
Mon Jul 29 12:20:40 EDT 2019

Hi all,

I am currently trying to get pac4j-saml (which integrates with java-opensaml) to interoperate with ADFS using the KeyStoreCredentialResolver.

While the KeyStore (a P12 file in this case) contains intermediate certificates, only the first certificate in the store is added to the SAML2 metadata:;a=blob;f=opensaml-security-impl/src/main/java/org/opensaml/security/credential/impl/;h=77b2a7081e8748bc2c867a7b39a4ae0a4987b756;hb=HEAD#l229

ADFS complains that the certificate chain is not trusted, which is 100% true - the intermediate certs are missing, and so there is no way ADFS could verify our certificate.

My question is - what changes do I need to make to read intermediate certificates from the KeyStore and add these intermediate certificates to the SAML2 metadata endpoint?

Is the metadata endpoint supposed to carry the leaf certificate and the intermediates, or just the leaf certificate and have the intermediates in the actual SAML messages, or should it contain the root certificate to be trusted?

I've drawn a blank reading the specs, as they refer to XMLSIG but in a general sense, and I need the specifics.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3260 bytes
Desc: not available
URL: <>

More information about the users mailing list