From certFingerprints to certData

[seanp...@gmail.com]

Hi,

I'm doing a bit of future-proofing in my SP and migrating from using certFingerprints to using certData in my idp-remote configuration.

I'm running into a bit of trouble, though, trying to figure out which of the certs in the IdP metadata to use. Part of what made using certFingerprints work for me was that the SP would cycle through all available certFingerprints to fallback if the first fingerprint didn't hit. By using certData, I'm limited to just one cert.

I'm dealing with metadata from a couple thousand different IdPs and some of them have multiple different certs for signing and multiple different certs for encryption. In my own testing on my own IdP, it seems like the signing cert lowest in the file is the on that works (i.e. if  you have 3 signing certs, cert #3 was successful for me), but I have no idea if that'll be the case for my customers.

I've dug through the code trying to figure out if there's any preference, but I really can't see that there is one.

Is there any way to know which of the certs is the right one for certData? Are signing certs the only ones to be concerned about here? I can't assume that the signing and encryption certs are the same .Is there any way to fall back to the other certs if it's not? I have too many customers to be manually testing each of these certs.

Thanks,

-Sean

[pat...@cirrusidentity.com]

My saml20-idp-remote.php stores keys like

'keys' =>
array (
0 =>
array (
'encryption' => false,
'signing' => true,
'type' => 'X509Certificate',
'X509Certificate' => 'MIIDmjCCAoKgAwIBAgIGAU+K41+KMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzETMBEG
...cut...
Mjrcw46btFN+T3Iidqk=',
),
),

It stores all the keys.  And attempts them in order until one works.

If you still have the original xml metadata for those IdPs, I would just re-run metadata converter to turn the xml into php.

If not, then you can just put all the available keys for  the idp in its key array.

- Patrick