[IdP] Not Valid Signature when certificates are renewed
Forge component by Rui Barbosa
Published on 07 Oct 2020

Hello Team,

We configured the IDP, Everything was fine until the certificate renewal. Our AD was setup with Primary and Secondary certificate with Primary being the new certificate. The federation metadata xml had 2 certificates and the auto upload metadata file was always taking the secondary certificate. I looked at IDP logic, there is no code to handle this scenario. 

I also tried exporting the primary certificate and manually uploaded to Primary certificate, however this one also gave Not valid signature error. This is an issue with IDP which needs to be addressed for people that might have this way of certificate renewal. 

Is there any plan by IDP team to address this at all? Happy to share a sample metadata xml if interested.

Rank: #1353

In order to fix this in the component, The below assignment needs to be changed to pick all the certificates from the path IDPSSODescriptor/KeyDescriptor[use=”signing”]/KeyInfo/X509Data and use the one which has the longer expiry date for Signature validation.