Adobe Experience Manager Sites & More

nedk76542230 · 2/23/16

Does anyone know if the SAML Authentication Handler supports multiple Signing Keys?

Thanks

Sham_HC · 2/25/16

For now it is not supported. Assume it is supported how would you visualize which one to select based on that multiple keys?

View solution in original post

Lokesh_Shivalingaiah · 2/23/16

Are you talking about having multiple SAMLs ??

You can have multiple configs for 'SAML Authentication Handler' here /system/console/configMgr

nedk76542230 · 2/23/16

Multiple signing keys from the same IDP. I don't think it's a SAML configuration issue as much as it a back end capability to accept multiple signing keys from the same IDP.

Sham_HC · 2/25/16

For now it is not supported. Assume it is supported how would you visualize which one to select based on that multiple keys?

nedk76542230 · 2/29/16

From our Security Engineering Group

Here is the basic flow:

Receive SAML Token signed with Certificate X
Does Certificate 1, registered within the Adobe application, match Certificate X?
1. If yes, use Certificate 1 to validate the signature of the SAML Token
2. If no, does Certificate 2, registered within the Adobe application, match Certificate X?
  1. If yes, use Certificate 2 to validate the signature of the SAML Token
  2. If no, failure

Additionally, once a certificate is found, it could be flagged for some session period to become the default certificate for validation purposes which would help eliminate the need to perform the IF-ELSE checks each time.

Sham_HC · 3/4/16

Thanks for details. We store idpCertAlias as string & need to change to array to match your need. Sounds doable, can you please file a support request to track this enhancement?

Adobe Experience Manager Sites & More

SAML - Multiple Signing Keys

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe