Merge pull request #101 from inflexiontecnologia/master

Be able to handle multiple signing certs provided by AzureAD IdP

Author: pitbulk

README.md

@@ -548,6 +548,14 @@ You should be able to workaround this by configuring your server so that it is a
 For Apache Tomcat this is done by setting the proxyName, proxyPort, scheme and secure attributes for the Connector. See [here](http://serverfault.com/questions/774300/ssl-offloading-from-apache-to-tomcat-get-overwritten-somewhere) for an example.
 
 
+### IdP with multiple certificates
+ 
+ In some scenarios the IdP uses different certificates for
+ signing/encryption, or is under key rollover phase and more than one certificate is published on IdP metadata.
+ 
+ In order to handle that the toolkit offers the `onelogin.saml2.idp.x509certMulti` parameters where you can set additional certificates that will be used to validate IdP signature. However just the certificate setted in `onelogin.saml2.idp.x509cert` parameter will be used for encrypting.
+ 
+
 ### Replay attacks
 
 In order to avoid replay attacks, you can store the ID of the SAML messages already processed, to avoid processing them twice. Since the Messages expires and will be invalidated due that fact, you don't need to store those IDs longer than the time frame that you currently accepting.

core/src/main/java/com/onelogin/saml2/authn/SamlResponse.java

@@ -293,16 +293,16 @@ public boolean isValid(String requestId) {
 			if (signedElements.isEmpty() || (!hasSignedAssertion && !hasSignedResponse)) {
 				throw new ValidationError("No Signature found. SAML Response rejected", ValidationError.NO_SIGNATURE_FOUND);
 			} else {				 
-				X509Certificate cert = settings.getIdpx509cert();
+				List<X509Certificate> certList = settings.getIdpx509certMulti();
 				String fingerprint = settings.getIdpCertFingerprint();
 				String alg = settings.getIdpCertFingerprintAlgorithm();
 
-				if (hasSignedResponse && !Util.validateSign(samlResponseDocument, cert, fingerprint, alg, Util.RESPONSE_SIGNATURE_XPATH)) {
+				if (hasSignedResponse && !Util.validateSign(samlResponseDocument, certList, fingerprint, alg, Util.RESPONSE_SIGNATURE_XPATH)) {
 					throw new ValidationError("Signature validation failed. SAML Response rejected", ValidationError.INVALID_SIGNATURE);
 				}
 
 				final Document documentToCheckAssertion = encrypted ? decryptedDocument : samlResponseDocument;
-				if (hasSignedAssertion && !Util.validateSign(documentToCheckAssertion, cert, fingerprint, alg, Util.ASSERTION_SIGNATURE_XPATH)) {
+				if (hasSignedAssertion && !Util.validateSign(documentToCheckAssertion, certList, fingerprint, alg, Util.ASSERTION_SIGNATURE_XPATH)) {
 					throw new ValidationError("Signature validation failed. SAML Response rejected", ValidationError.INVALID_SIGNATURE);
 				}
 			}

core/src/main/java/com/onelogin/saml2/settings/Saml2Settings.java

@@ -52,6 +52,7 @@ public class Saml2Settings {
 	private URL idpSingleLogoutServiceResponseUrl = null;
 	private String idpSingleLogoutServiceBinding = Constants.BINDING_HTTP_REDIRECT;
 	private X509Certificate idpx509cert = null;
+	private List<X509Certificate> idpx509certMulti = null;
 	private String idpCertFingerprint = null;
 	private String idpCertFingerprintAlgorithm = "sha1";
 
@@ -212,6 +213,13 @@ public final String getIdpCertFingerprintAlgorithm() {
 		return idpCertFingerprintAlgorithm;
 	}
 
+	/**
+	 * @return the idpx509certMulti setting value
+	 */
+	public List<X509Certificate> getIdpx509certMulti() {
+		return idpx509certMulti;
+	}
+
 	/**
 	 * @return the nameIdEncrypted setting value
 	 */
@@ -522,6 +530,15 @@ protected final void setIdpCertFingerprintAlgorithm(String idpCertFingerprintAlg
 		this.idpCertFingerprintAlgorithm = idpCertFingerprintAlgorithm;
 	}
 
+	/**
+	 * Set the idpx509certMulti setting value
+	 *
+	 * @param idpx509certMulti the idpx509certMulti to set
+	 */
+	public void setIdpx509certMulti(List<X509Certificate> idpx509certMulti) {
+		this.idpx509certMulti= idpx509certMulti;
+	}
+
 	/**
 	 * Set the nameIdEncrypted setting value
 	 *

core/src/main/java/com/onelogin/saml2/settings/SettingsBuilder.java

@@ -7,6 +7,7 @@
 import java.security.PrivateKey;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
@@ -67,6 +68,7 @@ public class SettingsBuilder {
 	public final static String IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY = "onelogin.saml2.idp.single_logout_service.binding";
 
 	public final static String IDP_X509CERT_PROPERTY_KEY = "onelogin.saml2.idp.x509cert";
+	public final static String IDP_X509CERTMULTI_PROPERTY_KEY = "onelogin.saml2.idp.x509certMulti";
 	public final static String CERTFINGERPRINT_PROPERTY_KEY = "onelogin.saml2.idp.certfingerprint";
 	public final static String CERTFINGERPRINT_ALGORITHM_PROPERTY_KEY = "onelogin.saml2.idp.certfingerprint_algorithm";
 
@@ -222,9 +224,15 @@ private void loadIdpSetting() {
 		if (idpSingleLogoutServiceBinding != null)
 			saml2Setting.setIdpSingleLogoutServiceBinding(idpSingleLogoutServiceBinding);
 
+		List<X509Certificate> idpX509certMulti = loadCertificateListFromProp(IDP_X509CERTMULTI_PROPERTY_KEY);
+		if (idpX509certMulti != null)
+			saml2Setting.setIdpx509certMulti(idpX509certMulti);
+
 		X509Certificate idpX509cert = loadCertificateFromProp(IDP_X509CERT_PROPERTY_KEY);
-		if (idpX509cert != null)
+		if (idpX509cert != null) {
 			saml2Setting.setIdpx509cert(idpX509cert);
+			idpX509certMulti.add(0, idpX509cert);
+		}
 
 		String idpCertFingerprint = loadStringProperty(CERTFINGERPRINT_PROPERTY_KEY);
 		if (idpCertFingerprint != null)
@@ -485,15 +493,14 @@ private URL loadURLProperty(String propertyKey) {
 	}
 
 	/**
-	 * Loads a property of the type X509Certificate from the Properties object
+	 * Loads a property of the type X509Certificate from the property value
 	 *
-	 * @param propertyKey
-	 *            the property name
+	 * @param propValue
+	 *            the property value
 	 *
 	 * @return the X509Certificate object
 	 */
-	protected X509Certificate loadCertificateFromProp(String propertyKey) {
-		Object propValue = samlData.get(propertyKey);
+	protected X509Certificate loadCertificateFromProp(Object propValue) {
 
 		if (isString(propValue)) {
 			try {
@@ -511,6 +518,42 @@ protected X509Certificate loadCertificateFromProp(String propertyKey) {
 		return null;
 	}
 
+	/**
+	 * Loads a property of the type X509Certificate from the Properties object
+	 *
+	 * @param propertyKey
+	 *            the property name
+	 *
+	 * @return the X509Certificate object
+	 */
+	protected X509Certificate loadCertificateFromProp(String propertyKey) {
+		return loadCertificateFromProp(samlData.get(propertyKey));
+	}
+
+	/**
+	 * Loads a property of the type List of X509Certificate from the Properties object
+	 *
+	 * @param propertyKey
+	 *            the property name
+	 *
+	 * @return the X509Certificate object list
+	 */
+	private List<X509Certificate> loadCertificateListFromProp(String propertyKey) {
+		List<X509Certificate> list = new ArrayList<X509Certificate>();
+
+		int i = 0;
+		while (true) {
+			Object propValue = samlData.get(propertyKey + "." + i++);
+
+			if (propValue == null)
+				break;
+
+			list.add(loadCertificateFromProp(propValue));
+		}
+
+		return list;
+	}
+
 	/**
 	 * Loads a property of the type X509Certificate from file
 	 *

core/src/main/java/com/onelogin/saml2/util/Util.java

@@ -29,6 +29,7 @@
 import java.security.spec.PKCS8EncodedKeySpec;
 import java.util.Calendar;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Locale;
 import java.util.TimeZone;
 import java.util.UUID;
@@ -852,6 +853,39 @@ public static boolean validateSign(final Document doc, final X509Certificate cer
 		}
 		return false;
 	}
+	
+	/**
+	 * Validate the signature pointed to by the xpath
+	 *
+	 * @param doc The document we should validate
+	 * @param certs The public certificates
+	 * @param fingerprint The fingerprint of the public certificate
+	 * @param alg The signature algorithm method
+	 * @param xpath the xpath of the ds:Signture node to validate
+	 *
+	 * @return True if the signature exists and is valid, false otherwise.
+	 */
+	public static boolean validateSign(final Document doc, final List<X509Certificate> certList, final String fingerprint,
+									   final String alg, final String xpath) {
+		try {
+			final NodeList signatures = query(doc, xpath);
+
+			if (signatures.getLength() == 1) {
+				final Node signNode = signatures.item(0);
+				if (certList == null || certList.isEmpty()) {
+					return validateSignNode(signNode, null, fingerprint, alg);
+				} else {
+					for (X509Certificate cert : certList) {
+						if (validateSignNode(signNode, cert, fingerprint, alg))
+							return true;
+					}
+				}
+			}
+		} catch (XPathExpressionException e) {
+			LOGGER.warn("Failed to find signature nodes", e);
+		}
+		return false;
+	}
 
 	/**
      * Validate signature (Metadata).
@@ -921,10 +955,13 @@ public static Boolean validateSignNode(Node signNode, X509Certificate cert, Stri
 				res = signature.checkSignatureValue(cert);
 			} else {
 				KeyInfo keyInfo = signature.getKeyInfo();
-				if (keyInfo != null && keyInfo.containsX509Data()) {
+				if (fingerprint != null && keyInfo != null && keyInfo.containsX509Data()) {
 					X509Certificate providedCert = keyInfo.getX509Certificate();
-					if (fingerprint.equals(calculateX509Fingerprint(providedCert, alg))) {						
-						res = signature.checkSignatureValue(providedCert);
+					String calculatedFingerprint = calculateX509Fingerprint(providedCert, alg);
+					for (String fingerprintStr : fingerprint.split(",")) {
+						if (calculatedFingerprint.equals(fingerprintStr.trim())) {
+							res = signature.checkSignatureValue(providedCert);
+						}
 					}
 				}
 			}

core/src/test/java/com/onelogin/saml2/test/authn/AuthnResponseTest.java

@@ -2299,6 +2299,57 @@ public void testIsValidSign() throws IOException, Error, XPathExpressionExceptio
 		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
 		assertTrue(samlResponse.isValid());		
 	}
+	
+	/**
+	 * Tests the isValid method of SamlResponse with idpx509certMulti
+	 * Case: valid sign response / sign assertion / both signed
+	 *
+	 * @throws ValidationError
+	 * @throws SettingsException
+	 * @throws IOException
+	 * @throws SAXException
+	 * @throws ParserConfigurationException
+	 * @throws XPathExpressionException
+	 * @throws Error
+	 *
+	 * @see com.onelogin.saml2.authn.SamlResponse#isValid
+	 */
+	@Test
+	public void testIsValidSignWithCertMulti() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError {
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.mywithmulticert.properties").build();
+		settings.setWantAssertionsSigned(false);
+		settings.setWantMessagesSigned(false);
+		String samlResponseEncoded = Util.getFileAsString("data/responses/signed_message_response.xml.base64");
+
+		settings.setStrict(false);
+		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());
+
+		settings.setStrict(true);
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/signed_assertion_response.xml.base64");
+
+		settings.setStrict(false);
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());
+
+		settings.setStrict(true);
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/double_signed_response.xml.base64");
+
+		settings.setStrict(false);
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());
+
+		settings.setStrict(true);
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertTrue(samlResponse.isValid());		
+	}
+	
 
 	/**
 	 * Tests the processSignedElements method of SamlResponse
@@ -2505,6 +2556,75 @@ public void testIsInValidSign() throws IOException, Error, XPathExpressionExcept
 		assertFalse(samlResponse.isValid());
 		assertEquals("Found an invalid Signed Element. SAML Response rejected", samlResponse.getError());	
 	}
+	
+	
+
+	/**
+	 * Tests the isValid method of SamlResponse with Idpx509certMulti
+	 * Case: invalid signs
+	 *
+	 * @throws ValidationError
+	 * @throws SettingsException
+	 * @throws IOException
+	 * @throws SAXException
+	 * @throws ParserConfigurationException
+	 * @throws XPathExpressionException
+	 * @throws Error
+	 *
+	 * @see com.onelogin.saml2.authn.SamlResponse#isValid
+	 */
+	@Test
+	public void testIsInValidSignWithCertMulti() throws IOException, Error, XPathExpressionException, ParserConfigurationException, SAXException, SettingsException, ValidationError { 
+		Saml2Settings settings = new SettingsBuilder().fromFile("config/config.min.properties").build();
+		settings.setStrict(true);
+		String samlResponseEncoded = Util.getFileAsString("data/responses/unsigned_response.xml.base64");
+
+		SamlResponse samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("No Signature found. SAML Response rejected", samlResponse.getError());
+
+		settings = new SettingsBuilder().fromFile("config/config.mywithmulticert.properties").build();
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/triple_signed_response.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/signed_assertion_response_with_2signatures.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/signed_message_response_with_2signatures.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Duplicated ID. SAML Response rejected", samlResponse.getError());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/wrong_signed_element.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:assertion}Subject SAML Response rejected", samlResponse.getError());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/wrong_signed_element2.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Invalid Signature Element {urn:oasis:names:tc:SAML:2.0:assertion}Subject SAML Response rejected", samlResponse.getError());
+		
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/duplicate_reference_uri.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Found an invalid Signed Element. SAML Response rejected", samlResponse.getError());
+		
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/no_assertion_id.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Signed Element must contain an ID. SAML Response rejected", samlResponse.getError());
+
+		samlResponseEncoded = Util.getFileAsString("data/responses/invalids/bad_reference.xml.base64");
+		samlResponse = new SamlResponse(settings, newHttpRequest(samlResponseEncoded));
+		assertFalse(samlResponse.isValid());
+		assertEquals("Found an invalid Signed Element. SAML Response rejected", samlResponse.getError());	
+	}	
 
 	/**
 	 * Tests the validateSignedElements method of SamlResponse

core/src/test/java/com/onelogin/saml2/test/settings/SettingBuilderTest.java

@@ -618,6 +618,8 @@ public void testLoadFromValues() throws Exception {
 		samlData.put(IDP_SINGLE_LOGOUT_SERVICE_BINDING_PROPERTY_KEY, "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
 		samlData.put(IDP_SINGLE_LOGOUT_SERVICE_RESPONSE_URL_PROPERTY_KEY, "http://idp.example.com/simplesaml/saml2/idp/SingleLogoutServiceResponse.php");
 		samlData.put(IDP_X509CERT_PROPERTY_KEY, "-----BEGIN CERTIFICATE-----\nMIIBrTCCAaGgAwIBAgIBATADBgEAMGcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQHDAxTYW50YSBNb25pY2ExETAPBgNVBAoMCE9uZUxvZ2luMRkwFwYDVQQDDBBhcHAub25lbG9naW4uY29tMB4XDTEwMTAxMTIxMTUxMloXDTE1MTAxMTIxMTUxMlowZzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExFTATBgNVBAcMDFNhbnRhIE1vbmljYTERMA8GA1UECgwIT25lTG9naW4xGTAXBgNVBAMMEGFwcC5vbmVsb2dpbi5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMPmjfjy7L35oDpeBXBoRVCgktPkLno9DOEWB7MgYMMVKs2B6ymWQLEWrDugMK1hkzWFhIb5fqWLGbWy0J0veGR9/gHOQG+rD/I36xAXnkdiXXhzoiAG/zQxM0edMOUf40n314FC8moErcUg6QabttzesO59HFz6shPuxcWaVAgxAgMBAAEwAwYBAAMBAA==\n-----END CERTIFICATE-----");
+		samlData.put(IDP_X509CERTMULTI_PROPERTY_KEY  + ".0", "-----BEGIN CERTIFICATE-----\nMIICgTCCAeoCCQCbOlrWDdX7FTANBgkqhkiG9w0BAQUFADCBhDELMAkGA1UEBhMCTk8xGDAWBgNVBAgTD0FuZHJlYXMgU29sYmVyZzEMMAoGA1UEBxMDRm9vMRAwDgYDVQQKEwdVTklORVRUMRgwFgYDVQQDEw9mZWlkZS5lcmxhbmcubm8xITAfBgkqhkiG9w0BCQEWEmFuZHJlYXNAdW5pbmV0dC5ubzAeFw0wNzA2MTUxMjAxMzVaFw0wNzA4MTQxMjAxMzVaMIGEMQswCQYDVQQGEwJOTzEYMBYGA1UECBMPQW5kcmVhcyBTb2xiZXJnMQwwCgYDVQQHEwNGb28xEDAOBgNVBAoTB1VOSU5FVFQxGDAWBgNVBAMTD2ZlaWRlLmVybGFuZy5ubzEhMB8GCSqGSIb3DQEJARYSYW5kcmVhc0B1bmluZXR0Lm5vMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDivbhR7P516x/S3BqKxupQe0LONoliupiBOesCO3SHbDrl3+q9IbfnfmE04rNuMcPsIxB161TdDpIesLCn7c8aPHISKOtPlAeTZSnb8QAu7aRjZq3+PbrP5uW3TcfCGPtKTytHOge/OlJbo078dVhXQ14d1EDwXJW1rRXuUt4C8QIDAQABMA0GCSqGSIb3DQEBBQUAA4GBACDVfp86HObqY+e8BUoWQ9+VMQx1ASDohBjwOsg2WykUqRXF+dLfcUH9dWR63CtZIKFDbStNomPnQz7nbK+onygwBspVEbnHuUihZq3ZUdmumQqCw4Uvs/1Uvq3orOo/WJVhTyvLgFVK2QarQ4/67OZfHd7R+POBXhophSMv1ZOo\n-----END CERTIFICATE-----");
+		samlData.put(IDP_X509CERTMULTI_PROPERTY_KEY  + ".1", "-----BEGIN CERTIFICATE-----\nMIICbDCCAdWgAwIBAgIBADANBgkqhkiG9w0BAQ0FADBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wHhcNMTQwOTIzMTIyNDA4WhcNNDIwMjA4MTIyNDA4WjBTMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRgwFgYDVQQDDA9pZHAuZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOWA+YHU7cvPOrBOfxCscsYTJB+kH3MaA9BFrSHFS+KcR6cw7oPSktIJxUgvDpQbtfNcOkE/tuOPBDoech7AXfvH6d7Bw7xtW8PPJ2mB5Hn/HGW2roYhxmfh3tR5SdwN6i4ERVF8eLkvwCHsNQyK2Ref0DAJvpBNZMHCpS24916/AgMBAAGjUDBOMB0GA1UdDgQWBBQ77/qVeiigfhYDITplCNtJKZTM8DAfBgNVHSMEGDAWgBQ77/qVeiigfhYDITplCNtJKZTM8DAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAJO2j/1uO80E5C2PM6Fk9mzerrbkxl7AZ/mvlbOn+sNZE+VZ1AntYuG8ekbJpJtG1YfRfc7EA9mEtqvv4dhv7zBy4nK49OR+KpIBjItWB5kYvrqMLKBa32sMbgqqUqeF1ENXKjpvLSuPdfGJZA3dNa/+Dyb8GGqWe707zLyc5F8m\n-----END CERTIFICATE-----");
 		samlData.put(CERTFINGERPRINT_PROPERTY_KEY, "4b6f70bb2cab82c86a8270f71a880b62e25bc2b3");
 		samlData.put(CERTFINGERPRINT_ALGORITHM_PROPERTY_KEY, "sha1");
 
@@ -672,6 +674,14 @@ public void testLoadFromValues() throws Exception {
 		assertEquals(setting.getIdpSingleLogoutServiceBinding(), "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect");
 		assertNotNull(setting.getIdpx509cert());
 		assertEquals(Util.loadCert(Util.getFileAsString("certs/certificate1")), setting.getIdpx509cert());
+		assertNotNull(setting.getIdpx509certMulti());
+		assertEquals(setting.getIdpx509certMulti().size(), 3);
+		assertNotNull(setting.getIdpx509certMulti().get(0));
+		assertEquals(Util.loadCert(Util.getFileAsString("certs/certificate1")), setting.getIdpx509certMulti().get(0));
+		assertNotNull(setting.getIdpx509certMulti().get(1));
+		assertEquals(Util.loadCert(Util.getFileAsString("certs/certificate2")), setting.getIdpx509certMulti().get(1));
+		assertNotNull(setting.getIdpx509certMulti().get(2));
+		assertEquals(Util.loadCert(Util.getFileAsString("certs/certificate3")), setting.getIdpx509certMulti().get(2));
 		assertEquals("4b6f70bb2cab82c86a8270f71a880b62e25bc2b3", setting.getIdpCertFingerprint());
 		assertEquals("sha1", setting.getIdpCertFingerprintAlgorithm());