How to get chain for SAML Metadata Sign certificate?

Krzysztof Zych 1 Reputation point

We have an application using Spring Security and we are using Azure AD with SSO SAML authentication enabled. Our application downloads metadata from the Azure endpoint and verifies if it can be trusted. Unfortunately, we have to add the certificate that is used to sign this metadata. This is not a problem at the beginning but after some time Azure AD will rollover this key and use the next one from that metadata file. After that our application is unusable due to certificate issue. We can resolve that by adding to our trusted store root certification authorities and/or intermediate certification authorities, but we do not know how to get it from the certificate inside the metadata. Are they self-signed certificate? Or maybe there is a way to download root/intermediate certificate from the Azure Portal?


Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,517 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. 2020-07-09T14:39:22.357+00:00

    Certificates generated by the portal are self signed so there's no chain but you can always upload one you own and trust.