* Alex Stuart <[log in to unmask]> [2017-05-25 13:18]:
> I thought SimpleSAMLphp SP could consume an IdP's metadata with more
> than one certificate & check each of those.
The fact that from the error message the certificate's fingerprint
(and not the actual full certificate) is being used for validation
makes be believe that the SP manually configured SimpleSAMLphp-style
metadata (i.e., PHP arrays) from the IDP's SAML 2.0 metadata -- and
possibly even using the wrong key.
A SimpleSAMLphp SP converting SAML 2.0 metadata (most commonly using
the "metarefresh" module) would have all certificates in its local
metadata, and have the actual certificates, not just their
fingerprints.
But maybe I'm reading to much into the error message, either way the
SP has the wrong cert (or the wrong cert's fingerprint) on record.
-peter
|