diff --git a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
index ce9ae7a71b0f16312954eb83c5465e4e6e30eee0..bb9ca85bc9efa0fe9e351a404a10010ab2654847 100644
--- a/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
+++ b/lib/SimpleSAML/XML/Shib13/AuthnResponse.php
@@ -88,19 +88,28 @@ class SimpleSAML_XML_Shib13_AuthnResponse {
/* Get the metadata of the issuer. */
$metadata = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
- $md = $metadata->getMetaData($issuer, 'shib13-idp-remote');
-
- if(array_key_exists('certFingerprint', $md)) {
- /* Get fingerprint for the certificate of the issuer. */
- $issuerFingerprint = $md['certFingerprint'];
+ $md = $metadata->getMetaDataConfig($issuer, 'shib13-idp-remote');
+
+ $publicKeys = $md->getPublicKeys('signing');
+ if ($publicKeys !== NULL) {
+ $certFingerprints = array();
+ foreach ($publicKeys as $key) {
+ if ($key['type'] !== 'X509Certificate') {
+ continue;
+ }
+ $certFingerprints[] = sha1(base64_decode($key['X509Certificate']));
+ }
+ $this->validator->validateFingerprint($certFingerprints);
+ } elseif ($md->hasValue('certFingerprint')) {
+ $certFingerprints = $md->getArrayizeString('certFingerprint');
/* Validate the fingerprint. */
- $this->validator->validateFingerprint($issuerFingerprint);
- } elseif(array_key_exists('caFile', $md)) {
+ $this->validator->validateFingerprint($certFingerprints);
+ } elseif ($md->hasValue('caFile')) {
/* Validate against CA. */
- $this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md['caFile']));
+ $this->validator->validateCA(SimpleSAML_Utilities::resolveCert($md->getString('caFile')));
} else {
- throw new Exception('Required field [certFingerprint] or [caFile] in Shibboleth 1.3 IdP Remote metadata was not found for identity provider [' . $issuer . ']. Please add a fingerprint and try again. You can add a dummy fingerprint first, and then an error message will be printed with the real fingerprint.');
+ throw new SimpleSAML_Error_Exception('Missing certificate in Shibboleth 1.3 IdP Remote metadata for identity provider [' . $issuer . '].');
}
return true;