we've been setting up several new partnership federations lately, where we use CA SSO 12.52 SP1 CR04 as a Service Provider to serve multiple Identity Providers implemented with different technologies, but always sticking to SAML2.0.
One of our IDPs is using Microsoft ADFS and we had a hard time explaining them that the federation stopped working when their token signing certificate was automatically replaced by some procedure that puts a new certificate online to be downloaded with metadata. Appearently they were assuming we could automatically download and install the new certificate without any notification.
They say their ADFS will do the certificate rollover without intervention,assumed our Siteminder would do the same, and even if they are willing to alert us on new certificate release, the fact that is the ADFS itself that substitute them without intervention would prevent them to agree with us a coordinate action to reduce the outage.
I came across a feature that's from SM 12.6:
No secondary certificate option is available for encryption
It seems the perfect feature to ease the problem, since this would allow us to load the new certificate in advance and whenever the IDP ADFS rolls the old one away, our Service Provider would be already fitted with the new one and there would be no outage at all.
Unfortunately I found news about this feature on v. 12.6 but we are still on 12.52 SP01CR04.
Does anyone know of similar possibilities on 12.52 SP1 CRxx? I could plan a quick in-place upgrade to a greater CR than the currently installed 04 but it's a bit more complicated do jump to a newer major release.
Are there any possibilities to backport the feature to 12.52SP1 by any means? that would be a life-saver for us, since I see more and more ADFS partnership upcoming...
Thank you all!