Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

saml

Describe the bug

When trying to use an URL in Metadata descriptor URL:

https://myhn.heilbronn.de/auth/saml/stadtheilbronn/metadata which offers two certificate pairs for signing/encryption, with the first one being the old one, authentification doesn't work. We got told by the support of the service to not use Metadata descriptor URL with their system as this doesn't work with Keycloak and to manually input the certificates under Keys instead due to this issue. They also told us this is something which works with for example Microsoft Entry ID which supports using/processing multiple certificates. They probably use this to roll over to new certificates to make sure people not using the autoconfiguration are able to use both the old and new certificates for a certain time.

Version

26.5.6

Regression

• The issue is a regression

Expected behavior

Work with the data supplied in Metadata descriptor URL even if it contains multiple certificates and not only use the first one and fails if it doesn't fit.

Actual behavior

Keycloak appears to solely use the first certificate(s) and fails authorization with the service expecting the second certificate(s) being used.

How to Reproduce?

Have multiple certificates for signing/encryption in Metadata descriptor URL and the first one not being the "correct" one.

Anything else?

I don't have a deep insight into this, just trying to transport what I got told so I hope I could explain everything correctly.