This is an optional child element of the sustainsys.saml2 element.
Specifies the certificate(s) that the service provider uses for encrypted assertions (and for signed requests, once that feature is added). If neither of those features are used, this element can be ommitted.
The public key(s) will be exposed in the metadata and the private key(s) will be used during decryption/signing.
Individual certificates are added via an
<add> element, so the resulting XML will be similar to the following:
<serviceCertificates> <add use="" status="" metadataPublishOverride="" /> <add use="" status="" metadataPublishOverride="" /> ... </serviceCertificates>
Indicates how the certificate will be used. Options are:
Indicates whether the certificate is a current or future certificate – used in key rollover scenarios. Options are:
By default the certificate will be used and published by the rules shown in the table below. To override this behavior choose one of the following options for this attribute:
None(Default) - published according to the rules in the table below.
Use Status Published in Metadata Used by Saml2 Both Current Unspecified unless Future key exists, then Signing Yes Both Future Unspecified For decryption only Signing Current Signing Yes Signing Future Signing No Encryption Current Encryption unless Future key exists then not published Yes Encryption Future Encryption Yes
- Filename and path to local SP certificate, only to be used in testing.
- Store name when to be used with certificate store, ex. My
- Store name when to be used with certificate store, ex. LocalMachine
Type to find the X509 certificate in store ex. FindByThumbprint.
Allows for System.Security.Cryptography.X509Certificates.X509FindTypes enum.
- The value to be find according to the x509FindType.