Hello,
after reading the recommendation to rotate the RSA key periodically, I wonder how this will work with SAML.
While OIDC is able to retrieve the new key from the jwks_uri, at least in the systems I tried (GitLab, Artifactory, SonarQube), for SAML you need to configure either the public key or the fingerprint of the private certificate so that the service provider/client is able to verify the signature of assertions in the SAML response.
I do not see neither in SonarQube or Artifactory nor in GitLab how to add multiple fingerprints/public keys so I would have to immediately replace this over there when rotating the RSA key.
Where is my mistake in thought here :-)?
Regards
Mirko