I am using SAML 2.0 for SSO in my application. Currently i am using one certificate in metadata. So, at the time of certificate expiry. I have to change certificate at specific time i.e. at the time of certificate expire. I need to support dual certificate support in metadata. So, I can add new certificate before the old gets expired. How can i achieve this? Here is my existing medatadata file :
<?xml version="1.0" encoding="UTF-8"?>
<!-- $Id: SPMetadata.xml 2936 2008-05-26 08:06:46Z jre $ -->
<md:EntityDescriptor entityID="https://examplecom/sso/saml/metadata" xmlns:brs="http://www.eogs.dk/2007/07/brs" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:1.1:protocol urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX----My certificate which I am using------
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://examplecom/sso/saml/SAMLAssertionConsumer" index="0"/>
</md:SPSSODescriptor>
<md:Organization>
<md:OrganizationName xml:lang="en">XXX example</md:OrganizationName>
<md:OrganizationDisplayName xml:lang="en">XXX example</md:OrganizationDisplayName>
<md:OrganizationURL xml:lang="en">http://www.examplecom</md:OrganizationURL>
</md:Organization>
<md:ContactPerson>
<md:Company>XXX</md:Company>
<md:GivenName>XXX Support</md:GivenName>
<md:SurName>Support</md:SurName>
<md:EmailAddress>mailto:saml-support@examplecom</md:EmailAddress>
<md:TelephoneNumber>XXXXX</md:TelephoneNumber>
</md:ContactPerson>
</md:EntityDescriptor>
Athough XML Signature Syntax and Processing recommendation (https://www.w3.org/TR/xmldsig-core/) referenced in SAML meta data spec would allow to specify several elements within the <ds:X509Data> element, the SAMLv2 interoperability profile (e.g. http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop-cs-01.html, section 2.5.1) suggests to use multiple <ds:KeyInfo> elements within <md:KeyDescriptor> elements.