I’ve just received an email stating:
I have different certficates in the simplesamlphp sp and OpenSSO IdP, but both certificates signed by same CA.
If we have metadata signing enabled in the simplesamlsp, and If I try to “Register Remote Identity Provider”, I am getting the erro, “Certificate Not Trusted”
Can’t we use different certificates signed by same CA in simpleamlphp and opensso ?
So we have a:
- SimpleSAMLPhp SAML2 Service Provider (SP)
- OpenSSO SAML2 Identity Provider (IDP)
So if this is the case, why would you be trying to register a remote identity provider in OpenSSO? You should be:
- Creating an IDP on OpenSSO
- Grabbing that IDP metadata (including the signing information)
- Creating a SP on SimpleSAMLPhp
- Adding the IDP’s metadata to SimpleSAMLPhp (idp-20-remote.php off the top of my head, don’t forget to convert it into the SimpleSAMLPhp format)
- Adding the SP’s metadata URL to the IDP.
https://kenning.co.nz/identity-management/connecting-opensso-idp-with-simplesamlphp-sp/ tells you a little more about connecting an OpenSSO IDP to a SimpleSAMLPhp SP.