Idea ID: 2872612

SP Specific Metadata URLs

Status : New Idea

There are some applications (IDM's OSP for example) that only support importing metadata from the metadata URL.  There are organizations that would prefer not to have all of their SP's using the same signing and encryption certificates.  This introduces a problem where an individual service provider wants to get the signing cert and encryption certs from the metadata URL, but this is global for the entire Identity Server cluster.  Would it be possible to add a URL parameter to the metadata URL that will use some of the specifics for the application.

For example, if I have a Service Provider with id=IDMOSP, could I provide https://namserver:port/nidp/saml2/metadata?id=IDMOSP to have the metadata contain the certificates (and perhaps other settings) specific to that SP's configuration?  This would allow us to generate certificates for each individual service provider.

A big headache occurs when there are dozens or hundreds of service providers that are using that default signing and encryption certificates provided in the metadata when it nears expiration.  We then need to contact all of those service providers and coordinate a massive change across (potentially) hundreds of applications.