Use `sp_new.crt` if you are in a key rollover process and you want to

publish that x509certificate on Service Provider metadata.

/*

// 'x509certNew': '',

/* In some scenarios the IdP uses different certificates for

// 'x509certMulti': {

// 'signing': [

// '<cert1-string>'

// ],

// 'encryption': [

// '<cert2-string>'

// ]

// }

The method above requires a little extra work to manually specify attributes about the IdP. (And your SP application)

There's an easier method -- use a metadata exchange. Metadata is just an XML file that defines the capabilities of both the IdP and the SP application. It also contains the X.509 public key certificates which add to the trusted relationship. The IdP administrator can also configure custom settings for an SP based on the metadata.

Using ````parse_remote```` IdP metadata can be obtained and added to the settings withouth further ado.

``

idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote('https://example.com/auth/saml2/idp/metadata')

``

If the Metadata contains several entities, the relevant EntityDescriptor can be specified when retrieving the settings from the IdpMetadataParser by its Entity Id value:

idp_data = OneLogin_Saml2_IdPMetadataParser.parse_remote(https://example.com/metadatas, entity_id='idp_entity_id')

If you plan to update the SP x509cert and privateKey you can define the new x509cert as $settings['sp']['x509certNew'] and it will be

published on the SP metadata so Identity Providers can read them and get ready for rollover.

In some scenarios the IdP uses different certificates for

signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.

In order to handle that the toolkit offers the $settings['idp']['x509certMulti'] parameter.

When that parameter is used, 'x509cert' and 'certFingerprint' values will be ignored by the toolkit.

The 'x509certMulti' is an array with 2 keys:

- 'signing'. An array of certs that will be used to validate IdP signature

- 'encryption' An array with one unique cert that will be used to encrypt data to be sent to the IdP.

* ***get_sp_cert_new*** Returns the future x509 public cert of the SP.

* ***format_idp_cert_multi*** Formats all registered IdP certs.

* ***format_sp_cert_new*** Formats the SP cert new.

* sp.key Private Key

* sp.crt Public cert

* sp_new.crt Future Public cert

* sp.key Private Key

* sp.crt Public cert

* sp_new.crt Future Public cert

* sp.key Private Key

* sp.crt Public cert

* sp_new.crt Future Public cert

idp_data = self.get_settings().get_idp_data()

exists_x509cert = 'x509cert' in idp_data and idp_data['x509cert']

exists_multix509sign = 'x509certMulti' in idp_data and \

'signing' in idp_data['x509certMulti'] and \

idp_data['x509certMulti']['signing']

if not (exists_x509cert or exists_multix509sign):

error_msg = 'In order to validate the sign on the %s, the x509cert of the IdP is required' % saml_type

if exists_multix509sign:

for cert in idp_data['x509certMulti']['signing']:

if OneLogin_Saml2_Utils.validate_binary_sign(signed_query,

OneLogin_Saml2_Utils.b64decode(signature),

cert,

sign_alg):

return True

'Signature validation failed. %s rejected' % saml_type,

else:

cert = idp_data['x509cert']

if not OneLogin_Saml2_Utils.validate_binary_sign(signed_query,

OneLogin_Saml2_Utils.b64decode(signature),

cert,

sign_alg,

self.__settings.is_debug_active()):

raise OneLogin_Saml2_ValidationError(

'Signature validation failed. %s rejected' % saml_type,

OneLogin_Saml2_ValidationError.INVALID_SIGNATURE

)