FusionAuth
Allow to register primary and secondary "Verification key" for SAML IDP
Allow to register primary and secondary "Verification key" for SAML IDP
Problem
EntraID and ADFS allow a secondary certificate to be generated before the primary certificate expires, but continues to sign with the primary certificate for a certain period of time. This allows applications to define 2 certificates (primary and secondary) and not be blocked when the IdP switches over to signing assertions.
Solution
If fusionauth allowed 2 “Verification keys” (primary and secondary) to be defined on a SAMLv2 IdP, this would avoid having to undergo the IdP assertion signature changeover.
Alternatives/workarounds
No workaround, we have to change the “verification key” when the SAMLv2 IdP changes the assertion signature. This will stop authentication until the signature is changed.
Additional context
I think that there should have the same issue on other SAMLv2 IdP
Related
- https://github.com/FusionAuth/fusionauth-issues/issues/1361
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
@konvergence, thanks so much for submitting this issue! We have a large backlog of work so I can't commit to when we'll address this, but we really appreciate you submitting it.
Perhaps if we could define a verification key made up of the 2 certificates, this would limit the impact?
I haven't looked at the code or tests so I'm not sure of the implementation details.
Hmm.. does this already work? The configured verification key is used for sure when using redirect bindings, but when using a POST bindings where the SAML request contains KeyInfo, I think we will try and resolve the verification key dynamically using the KeyInfo, and then fall back to the configured key if that doesn't work.
