Support for multiple certificates to validate SAML response during authentication

IdentityIQ (IIQ) IIQ Discussion and Questions
,
1

Which IIQ version are you inquiring about?

Version 8.X

Share all details related to your problem, including any error messages you may have received.

I am very new to Identity IQ…

I am trying to authenticate users via SSO using SAML authentication.

The IDP i’m using has multiple SAML response signing certificates in its SAML metadata. SAML specification allows this, but Identity IQ only allows one certificate to be supplied for SAML response validation. What are my options?

  1. Can i modify the core Identity IQ code to correct this?
  2. Can i modify the SAML authentication flow by some other means so i can do the SAML response validation using custom code?
  3. Can i turn off SAML response validation somehow?
  4. Worst case scenario, can i develop my own authentication plugin?
2

Hi Zain,

  1. No
  2. You should just have the CA in your trust store - that should support any certificate
  3. No
  4. Most probably - but might be complex topic.
1 Like
3

Thanks Kamil for the super fast response.

On your point about having the CA in the trust store - how would that work? Even if i had the CA in the trust store i still need the right certificate i.e. one of the signing certificates in the IDP SAML metadata. It’s one of those certificate that contains the key to validate the signature in the SAML response. Having the CA in the trust store just ensures i can trust any certificate that is issued by the IDP.

Or am i missing something? What trust store are we talking about?

4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.