Spring Security SAML Signature Certificate Rollover

Expected Behavior

You can configure multiple certificates for signing SAML requests. When resolving the certificate for creating a signature it should also be checked that this certificate is still valid.

Current Behavior

Currently the org.springframework.security.saml2.provider.service.web.authentication.OpenSaml5Template uses the org.opensaml.saml.security.impl.SAMLMetadataSignatureSigningParametersResolver or the underlying org.opensaml.xmlsec.impl.BasicSignatureSigningParametersResolver which both does not check for certificate validity.

Context

When a certficate for signing expires the some IDP does not accept the signatures anymore. The change of the certificate should not affect the user. So most of the IDPs support multiple signature certificates to do a rollover without affecting the user. Spring-Security-SAML also supports multiple signing certificates but not a rollover on runtime. So an expired certificate must be removed before it expires. This enhancement relates to #10799.

Solution suggestions 1. Implement an org.opensaml.xmlsec.SignatureSigningParametersResolver which also checks for validity of the certificates 2. Open up the org.springframework.security.saml2.provider.service.web.authentication.OpenSaml5Template so that it possible to add a custom resolver on your own.