IdP keep changing signing x509

I have an issue where SSO link based on SAML is failing due to the fact IdP signing certificates are constantly changing.

I (as SP) have a configuration which is based on IdP's federation metadata, it has two signing certificates (X509). Things are working as expected.

Few weeks later, SSO link is broken due to the fact IdP is returning SAML Response with different signing certificate. I checke it's metadata, yep different signing certificates.

How do I implement my end (as SP) that my SAML Request includes x509 being used by IdP?

As well, is it common practice for IdP to constantly change singing certificates? I never had this issue before and I have a handful year-old SSO integration based on the same strategy: exchange of metadata. Is it possible to configure at IdP so that certificates are not being changed?

1 answer