Two signing certs in SP MetadataProvider section?
Bryan K. Walton
bwalton+1573850983 at leepfrog.com
Thu Jan 14 19:05:23 UTC 2021
We are working with an IDP that is updating their signing certificates.
They currently have both the old and new signing certificates in their
IdP metadata.
The new cert, in the metadata, is listed after the older cert.
I'm trying to update our MetadataProvider config for this client. Our
current configuration looks similar to this:
<MetadataProvider type="XML"
url="<metadata url>"
backingFilePath="backingfile.xml" reloadInterval="28800">
<MetadataFilter type="Signature" certificate="<old signing cert>"/>
</MetadataProvider>
I've tried to replace the old signing cert with the new one. I've also
tried adding a second MetadataFilter line that points to the new cert.
With both options, I get the following error:
2021-01-14 13:00:18 WARN OpenSAML.MetadataFilter.Signature : filtering out entity at root of instance after failed signature check: CredentialResolver did not supply any candidate keys.
2021-01-14 13:00:18 WARN OpenSAML.MetadataProvider.XML : trying backup file, exception loading remote resource: SignatureMetadataFilter unable to verify signature at root of metadata instance.
2021-01-14 13:00:18 WARN OpenSAML.MetadataFilter.Signature : filtering out entity at root of instance after failed signature check: CredentialResolver did not supply any candidate keys.
2021-01-14 13:00:18 CRIT OpenSAML.MetadataProvider.Chaining : failure initializing MetadataProvider: SignatureMetadataFilter unable to verify signature at root of metadata instance.
overall configuration is loadable, check console or log for non-fatal problems
Is there any way to use the second signing cert in their metadata? Or
do we need to wait for them to remove the old one that is listed first?
Thanks,
Bryan Walton
More information about the users
mailing list