Support for multiple certificates in IdP metadata

[acorns-shiraki]

Hello,

I'm currently working on implementing SAML SSO using your library, and I have a question regarding the support for multiple certificates in the IdP metadata.

It's a common practice for IdPs to publish multiple certificates (e.g., a new one and an old one) in their metadata for smooth certificate rotation and to avoid downtime during updates. However, from my investigation of the library's code, it seems that it might not support multiple certificates for IdPs.

Could you please confirm if this is the case? If the library does support multiple IdP certificates, could you point me to the relevant part of the code or documentation?

Thank you for your time and assistance.

[upwebdesign]

@acorns-shiraki, as you suspected, multiple certificates do not appear to be supported. How do you propose that should work?

[acorns-shiraki]

Thank you for reply.

As for how this could be implemented, here are some ideas:

1. Extend the metadata structure: Allow multiple <KeyDescriptor> elements in the IdP metadata, each containing a different certificate.

2. Certificate selection logic: Implement a mechanism to choose which certificate to use for signature verification. This could be based on factors like expiration date or a specified order.