Expand my Community achievements bar.

SOLVED

SAML - Multiple Signing Keys

Avatar

Level 2

Does anyone know if the SAML Authentication Handler supports multiple Signing Keys?

 

Thanks

1 Accepted Solution

Avatar

Correct answer by
Level 10

For now it is not supported.  Assume it is supported how would you visualize which one to select based on that multiple keys?

View solution in original post

5 Replies

Avatar

Level 10

Are you talking about having multiple SAMLs ??

You can have multiple configs for 'SAML Authentication Handler' here /system/console/configMgr 

Avatar

Level 2

Multiple signing keys from the same IDP.  I don't think it's a SAML configuration issue as much as it a back end capability to accept multiple signing keys from the same IDP.

Avatar

Correct answer by
Level 10

For now it is not supported.  Assume it is supported how would you visualize which one to select based on that multiple keys?

Avatar

Level 2

From our Security Engineering Group

Here is the basic flow:

  1.   Receive SAML Token signed with Certificate X
  2.   Does Certificate 1, registered within the Adobe application, match Certificate X?
    1.   If yes, use Certificate 1 to validate the signature of the SAML Token
    2.   If no, does Certificate 2, registered within the Adobe application, match Certificate X?
      1.                            If yes, use Certificate 2 to validate the signature of the SAML Token
      2.                          If no, failure

 

Additionally, once a certificate is found, it could be flagged for some session period to become the default certificate for validation purposes which would help eliminate the need to perform the IF-ELSE checks each time.

Avatar

Level 10

Thanks for details. We store idpCertAlias as string & need to change to array to match your need. Sounds doable, can you please file a support request to track this enhancement?