I have a question about certificates generated in metadata (my SP). Our IdP says that when I change certificate I can publish it in metadata e.g. 20 days before as a secondary. Than IdP could load that, set trust and than (e.g. 5 days before expiration) my SP switch from secondary to primary.
Is it possible to set some certificate as a secondary? How could I do it?
I think that its quite common issue to change certificate, but I did not find such info about hierarchy of certificates in metadata.
We use spring security saml v1.0.1
Thank you!
EDIT
I added another property to my extendedMetadata and added another KeyDescriptor to spDescriptor and then it works - it generate metadata with two certificates with usageType SIGNING and ADFS server is able to load it. Note that you cant have a multiple encryption keys in metadata (if you work with ADFS - I dont know case of any other IdPs)
But new issue appeared. I have to sign my metadata and I found that if property with name
`<property name="signingKey" value="alias"/>`
is empty (certificate is old and I dont want to use it), metadata is not signed. Could I use my custom property like
<property name="signingKeySecondary" value="alias2" />
to sign metadata?
