Azure Metadata Multiple Signing Certificate only

[pandamouse]

https://github.com/onelogin/ruby-saml/blob/b3ac5bd3acb76c31c6bbb24784cc8648244e0e80/lib/onelogin/ruby-saml/idp_metadata_parser.rb#L333

So I updated the ruby-saml to 1.6.0 hoping to sort out the Azure certificate rollover problem with the ipd_cert_multi. Unfortunately for us while it contains 3 signing certificate, it contains no additional encryption certificate. Resulting in certificates.size of 1 when parsing the metadata which in turn result in only the idp_cert and fingerprint being set to the first one. Which is going to cause us the original problem of Mismatch Fingerprint.

Would it be an acceptable solution if we check that if only signing certificates are present and there are more than 1 to set ipd_cert_multi to use the certificates for both signing and encryption?

like below?

if certificates.key?("signing")
  if certificates['signing'].size > 1
    parsed_metadata[:idp_cert_multi] = {signing: certificates['signing'], 
       encryption: certificates['signing']}
 else
    parsed_metadata[:idp_cert] = certificates["signing"][0]
    parsed_metadata[:idp_cert_fingerprint] = fingerprint(
      parsed_metadata[:idp_cert],
      parsed_metadata[:idp_cert_fingerprint_algorithm]
    )
  end
else
   parsed_metadata[:idp_cert] = certificates["encryption"][0]
   parsed_metadata[:idp_cert_fingerprint] = fingerprint(
        parsed_metadata[:idp_cert],
        parsed_metadata[:idp_cert_fingerprint_algorithm]
    )
end

[pitbulk]

I will review soon and fix the bug.

[pandamouse]

Here is something I did to override it. Just had to fix the if statement.

https://gist.github.com/pandamouse/2ccbb0bff8edd723d9ea615213496b78