I’ve just received an email stating:

I have different certficates in the simplesamlphp sp and OpenSSO IdP, but both certificates signed by same CA.

If we have metadata signing enabled in the simplesamlsp, and If I try to “Register Remote Identity Provider”, I am getting the erro, “Certificate Not Trusted”

Can’t we use different certificates signed by same CA in simpleamlphp and opensso ?

So we have a:

1. SimpleSAMLPhp SAML2 Service Provider (SP)
2. OpenSSO SAML2 Identity Provider (IDP)

So if this is the case, why would you be trying to register a remote identity provider in OpenSSO? You should be:

1. Creating an IDP on OpenSSO
2. Grabbing that IDP metadata (including the signing information)
3. Creating a SP on SimpleSAMLPhp
4. Adding the IDP’s metadata to SimpleSAMLPhp (idp-20-remote.php off the top of my head, don’t forget to convert it into the SimpleSAMLPhp format)
5. Adding the SP’s metadata URL to the IDP.

http://kenning.co.nz/identity-management/connecting-opensso-idp-with-simplesamlphp-sp/ tells you a little more about connecting an OpenSSO IDP to a SimpleSAMLPhp SP.