0

I've got a site acting as an Identity Provider (IdP) for Single Sign on and another 2 service providers that authenticate against it using SAML 2. At the moment, both service providers use the same certificate to validate the SAML response from the IdP.

I've now got a 3rd Service Provider joining shortly and I wondered whether I should really be issuing separate certificates to each party so that we could potentially revoke their access, if required, without affecting the other Service Providers? What approach have others taken and why?

I'm using SimpleSamlPHP as the IdP.

Chris Lewis
  • 1,315
  • 10
  • 25

2 Answers2

4

As I understand, what you want is to be able to revoke SSO access for one SP but not all.

I would think this should not be done by revoking certificates but rather by removing the metadata from SimpleSamlPHP.

Stefan Rasmusson
  • 5,445
  • 3
  • 21
  • 48
1

The problem with this is that the certificate information is in the IDP metadata that is sent to the SP and the metadata normally only allows for one certificate for one task (can be different tasks e.g. for signing and encryption).

Coming back the other way e.g. signing the SP Authn request, all the SP's can have different cetificates or they can share.

Some products e.g. ADFS 2.0 before Rollup 3 do not allow SP to share certificates.

rbrayb
  • 46,440
  • 34
  • 114
  • 174