Expected Behavior
Would be nice in the case of where we have multiple signing keys to explicitly set which one should be used when signing the authn request. This is particularly useful when the Service Provider updates its signing key, a sample scenario would look like this:
- the service provider adds a new signing key along with the old one, and makes them both available in its metadata
- until the metadata is uploaded on the IdP side as well, the old one should still be used for signing requests
- the metadata is uploaded on the IdP
- switch to using the new key on the SP side, but still keep the old one for rollback purposes
- remove the old key if all is well
Context Trying to migrate from the old saml library where we make use of ExtendedMetadata#setSigningKey to set the default signing key in cases where we have multiple service provider keys