I have a Spring SAML project that has a JKS with the public certificate of the IDP loaded into it. I have a theoretical question:
If I were to load in the issuing root or intermediate CA into the JKS, would that be sufficient for trusting the IDP and validating the IDP SAML messages? The benefit to doing this would be that future IDPs with a common issuer would be trusted without having to load in their certificate.
My understanding is that the actual public certificate of the IDP needs to be in the JDK so that Spring SAML can validate the request, however, isn't the X509 in the request sufficient for doing this and it's just a matter of validating that the certificate in the IDPs public metadata is from a trusted issuer?
I'm a bit over my head with this. Any insight or explanation will be greatly appreciated!
Yes, you can do that with the PKIX security profile. Loading the IDP certs into the keystore should be enough (provided the trustedKeys in extendedMetadata is null, which is the default).
See the manual, chapter security profiles for all the details.