Allow to register primary and secondary "Verification key" for SAML IDP

[konvergence]

Allow to register primary and secondary "Verification key" for SAML IDP

Problem

EntraID and ADFS allow a secondary certificate to be generated before the primary certificate expires, but continues to sign with the primary certificate for a certain period of time.
This allows applications to define 2 certificates (primary and secondary) and not be blocked when the IdP switches over to signing assertions.

Solution

If fusionauth allowed 2 “Verification keys” (primary and secondary) to be defined on a SAMLv2 IdP, this would avoid having to undergo the IdP assertion signature changeover.

Alternatives/workarounds

No workaround, we have to change the “verification key” when the SAMLv2 IdP changes the assertion signature.
This will stop authentication until the signature is changed.

Additional context

I think that there should have the same issue on other SAMLv2 IdP

Related

• Support a client secret grace period for an application or entity #1361

How to vote

Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.

[mooreds]

@konvergence, thanks so much for submitting this issue! We have a large backlog of work so I can't commit to when we'll address this, but we really appreciate you submitting it.

[konvergence]

Perhaps if we could define a verification key made up of the 2 certificates, this would limit the impact?

[mooreds]

I haven't looked at the code or tests so I'm not sure of the implementation details.