WSO2 Changelog

Asgardeo now supports using a SAML metadata endpoint as the certificate source for external SAML identity providers (Connections). With this enhancement, Asgardeo automatically retrieves and refreshes signing certificates from the configured metadata URL whenever a signature validation failure occurs, eliminating the need for manual certificate updates during IdP key rotations.

Key capabilities include:

• SAML metadata endpoint support - Configure a SAML metadata URL for a SAML IdP connection to allow Asgardeo to fetch and cache signing certificates directly from the IdP’s metadata endpoint instead of relying on a manually uploaded PEM certificate.
• Automatic certificate refresh - When signature validation fails, Asgardeo automatically re-fetches the latest certificate from the metadata endpoint and retries validation, enabling seamless handling of certificate rollovers without administrator intervention.
• Smart certificate caching - Cached certificates are refreshed and invalidated based on the `validUntil` and `cacheDuration` values defined in the IdP metadata, ensuring the local cache remains aligned with the IdP’s certificate rotation schedule.
• Flexible configuration options - Administrators can continue using the existing PEM certificate upload approach or switch to metadata-endpoint-based certificate management. Both configuration methods are fully supported for SAML IdP connections.

Documentation: 

• https://wso2.com/asgardeo/docs/guides/authentication/standard-based-login/add-saml-idp-login/#certificate-validation-with-the-saml-metadata-endpoint