Hi,

Could you please tell me what might be the behaviour with if we import
SAML Service Provider Metadata with multiple signing keys? (SAML2.0 )
Would it import and use both the encryption keys? Or not accept it at
all? Or use just one of them?

It would have been great if there was clear documentation on this.
Unfortunately,I am not able to locate the same. Would really appreciate
if someone could give a pointer on the same.

I wanted to test/configure a setup to check what is the behaviour, but
have been caught up in resolving configuration issues over the last
couple of days :-/

I was able to confirm that ADFS imports both the keys.

Specifically, if the input file is something like :


<md:EntityDescriptor entityID="EntityId">
<md:SPSSODescriptor
protocolSupportEnumeration="urnasis:names:tc:SAML:2.0rotocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
...
... CertData
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>

<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
...
... CertData
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:AssertionConsumerService
Binding="urnasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://xx.yy.com/urlendpoint" index="0"/>
</md:SPSSODescriptor><md:ContactPerson contactType="administrative"/>
</md:EntityDescriptor>


--
asubramanian
------------------------------------------------------------------------
asubramanian's Profile: https://forums.netiq.com/member.php?userid=6115
View this thread: https://forums.netiq.com/showthread.php?t=48971