I try to update relying party trust from federation metadata which contains two signing and two encryption certificates. But ADFS shows me the error:
"An unexpected error occurred during attempt to process the federation metadata. Verify that the federation metadata is correct and try again.
Error message: MSIS7508: The metadata contains unexpected data. Conflicting encryption certificates were found in the Role Descriptions needed to represent a service provider role."
The idea for storing two signing and to encryption certificates in metadata is to make smooth transition period when old certificates are going to expire and new certificates are added in metadata as secondary certificates. This strategy works fine with
two signing certificates but does not work with two encryption certificates.
Metadata I trying to update:
<?xml version="1.0" encoding="UTF-8"?><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" ID="https://www.alpha.wrke.io/account/1401896/alias/alpha.wrke.io" entityID="https://www.alpha.wrke.io/account/1401896/alias/alpha.wrke.io"><md:SPSSODescriptor
AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIJAN/SEJKXNLDZMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIEwJDQTELMAkGA1UEBxMCQ0ExEjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRIwEAYDVQQDDAkqLndya2UuaW8wHhcNMTgwMjA4MTI0NDUx
WhcNMjAwMjA4MTI0NDUxWjByMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkNB
MRIwEAYDVQQKEwlXcmlrZSBEZXYxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDES
MBAGA1UEAwwJKi53cmtlLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtPebxuF
FoqVuVjj0rb5/scqWGFSHolDcRELcYAIMADNe/MBee5thsL8dGGThsJByQevME38yxz6XRBUnOyJ
+Usnij+DGjk8UoRj+qqUAxRsWq6qbqWmo071VTqQtOtNZqdExQUwYsO4KLSb1OMi9JLKBdYD6z52
LYE+T8o4wsTOPlmSYgZafMG8Wod+7d9JndxBCjRJtgHlDjPM7Vl0O4aI/FyRJqg3RPb2UiuLfPr+
TDGdbxwvOwEHujBRm5DVUXrniYLz2yrNKWECcxuJ2XPQRf2a9gzCxjvQwWMqwL5s/62TPf21p6en
ZgkXKKZVOH0XydPsJlsP6vZh4mJKWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBnKtGtiPVaaGT4
Rw2imoLLiTEm3uGFqUy0jc5A7Pzb/BapMr6v1KKm4ugy36iECeQiBxcenGuLG3Iq/nU+DzhCgFoO
ffkheaIPGyvOBoD1QFGYHe6YP3J8DtZAXrHqbiwMtKOFoaSzp8FwcQSCOTqNM1tSYjVU2hvr4/LD
DT74Ceb7s8LmE83p9/YvQsKBpJ2EyvxShCCorNzxv5A3gIyfkVrPSH8vvaiU5ITiN5xb1X4OHRPi
tLVhoU4e04j779pBLp1iGcmyFaZw7+sAQPscmFMQm5pH0ut0LKyBHdGMwEfzoy0l759tRltPmQk5
jp5goGEoHcFl9ZbKnSY8zpY9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZTCCAk2gAwIBAgIJAN/SEJKXNLDZMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIEwJDQTELMAkGA1UEBxMCQ0ExEjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9t
YWluIENvbnRyb2wgVmFsaWRhdGVkMRIwEAYDVQQDDAkqLndya2UuaW8wHhcNMTgwMjA4MTI0NDUx
WhcNMjAwMjA4MTI0NDUxWjByMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkNB
MRIwEAYDVQQKEwlXcmlrZSBEZXYxITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRlZDES
MBAGA1UEAwwJKi53cmtlLmlvMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqtPebxuF
FoqVuVjj0rb5/scqWGFSHolDcRELcYAIMADNe/MBee5thsL8dGGThsJByQevME38yxz6XRBUnOyJ
+Usnij+DGjk8UoRj+qqUAxRsWq6qbqWmo071VTqQtOtNZqdExQUwYsO4KLSb1OMi9JLKBdYD6z52
LYE+T8o4wsTOPlmSYgZafMG8Wod+7d9JndxBCjRJtgHlDjPM7Vl0O4aI/FyRJqg3RPb2UiuLfPr+
TDGdbxwvOwEHujBRm5DVUXrniYLz2yrNKWECcxuJ2XPQRf2a9gzCxjvQwWMqwL5s/62TPf21p6en
ZgkXKKZVOH0XydPsJlsP6vZh4mJKWQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBnKtGtiPVaaGT4
Rw2imoLLiTEm3uGFqUy0jc5A7Pzb/BapMr6v1KKm4ugy36iECeQiBxcenGuLG3Iq/nU+DzhCgFoO
ffkheaIPGyvOBoD1QFGYHe6YP3J8DtZAXrHqbiwMtKOFoaSzp8FwcQSCOTqNM1tSYjVU2hvr4/LD
DT74Ceb7s8LmE83p9/YvQsKBpJ2EyvxShCCorNzxv5A3gIyfkVrPSH8vvaiU5ITiN5xb1X4OHRPi
tLVhoU4e04j779pBLp1iGcmyFaZw7+sAQPscmFMQm5pH0ut0LKyBHdGMwEfzoy0l759tRltPmQk5
jp5goGEoHcFl9ZbKnSY8zpY9</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="signing"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZDCCAkygAwIBAgIIJ2fk6TevwxwwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMQswCQYDVQQHEwJDQTESMBAGA1UEChMJV3Jpa2UgRGV2MSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxEjAQBgNVBAMMCSoud3JrZS5pbzAeFw0xODAyMTIwOTA5MjBa
Fw0yMDAyMTIwOTA5MjBaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCQ0Ex
EjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRIw
EAYDVQQDDAkqLndya2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsOPaQFoZR
vnhzGqo3cEorq3Rj3WweRouJYi3yByg0nhm1QJnRnXEags5jUkJd4uw0biZdmcKYeTo2ER9cOgN7
yH1q/DMAI31zixMip0Fl9XHUTXwZV0/hd3CRDdO+ieHsnmywRyouuIMaTDYObyyMOI8Q7WSBbucu
pM16fBn8ajf+lzEtzhS0MQ9hZxX3EZTjxGz+eGIkW0P8IJs4JYnJd32DvQwfOWmNFE0sy72PGh9b
A38iN9lCHNMqbA2x4AcR7q3DEVzLMSyOfRf7u8vy4HJgwPRTwBdbjqadbERmQ0HGlWeIy/SgW7X5
bX5xWfOscNNSY6CgTWoq8CHqKzd9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGNp4NsZ4tk9rJUq
BGBWnPrdhI1vJmUh8wqHWXAXTRZWspEiHgjTEj9AC+PUsGjzBUFdw02eBVJUrYbDhO8e+dnxtdlv
X2fVKJ3tSACv6rHlcvTnDUISP5pBBzLC2hnPKxUeFzhYzUk0wZmAkdhE1afalchPvtO7orqHc8SK
fU7XR/mNEwhJu+32A1DO+hRDA1FHcqizEBV/FpkKURXH2IBeBiCd+nspWFBTF5qUhZS56x1JMIhB
nKJm7uY2xL/iPDjDqbHoUPuyxWcTHLLZrHFXH4ulDyAtNCBWST6XNGb9lzkbufCGl4PDxqPt/sI4
HpuAYSgX+LgWExVOiy4SsCg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:KeyDescriptor use="encryption"><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:X509Data><ds:X509Certificate>MIIDZDCCAkygAwIBAgIIJ2fk6TevwxwwDQYJKoZIhvcNAQELBQAwcjELMAkGA1UEBhMCVVMxCzAJ
BgNVBAgTAkNBMQswCQYDVQQHEwJDQTESMBAGA1UEChMJV3Jpa2UgRGV2MSEwHwYDVQQLExhEb21h
aW4gQ29udHJvbCBWYWxpZGF0ZWQxEjAQBgNVBAMMCSoud3JrZS5pbzAeFw0xODAyMTIwOTA5MjBa
Fw0yMDAyMTIwOTA5MjBaMHIxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCQ0Ex
EjAQBgNVBAoTCVdyaWtlIERldjEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRIw
EAYDVQQDDAkqLndya2UuaW8wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsOPaQFoZR
vnhzGqo3cEorq3Rj3WweRouJYi3yByg0nhm1QJnRnXEags5jUkJd4uw0biZdmcKYeTo2ER9cOgN7
yH1q/DMAI31zixMip0Fl9XHUTXwZV0/hd3CRDdO+ieHsnmywRyouuIMaTDYObyyMOI8Q7WSBbucu
pM16fBn8ajf+lzEtzhS0MQ9hZxX3EZTjxGz+eGIkW0P8IJs4JYnJd32DvQwfOWmNFE0sy72PGh9b
A38iN9lCHNMqbA2x4AcR7q3DEVzLMSyOfRf7u8vy4HJgwPRTwBdbjqadbERmQ0HGlWeIy/SgW7X5
bX5xWfOscNNSY6CgTWoq8CHqKzd9AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAGNp4NsZ4tk9rJUq
BGBWnPrdhI1vJmUh8wqHWXAXTRZWspEiHgjTEj9AC+PUsGjzBUFdw02eBVJUrYbDhO8e+dnxtdlv
X2fVKJ3tSACv6rHlcvTnDUISP5pBBzLC2hnPKxUeFzhYzUk0wZmAkdhE1afalchPvtO7orqHc8SK
fU7XR/mNEwhJu+32A1DO+hRDA1FHcqizEBV/FpkKURXH2IBeBiCd+nspWFBTF5qUhZS56x1JMIhB
nKJm7uY2xL/iPDjDqbHoUPuyxWcTHLLZrHFXH4ulDyAtNCBWST6XNGb9lzkbufCGl4PDxqPt/sI4
HpuAYSgX+LgWExVOiy4SsCg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></md:KeyDescriptor><md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://alpha.wrke.io/saml/SingleLogout/account/1401896/alias/alpha.wrke.io"/><md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://alpha.wrke.io/saml/SingleLogout/account/1401896/alias/alpha.wrke.io"/><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">urn:oasis:names:tc:SAML:1.1:nameid-format:X509SubjectName</md:NameIDFormat><md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://alpha.wrke.io/saml/SSO/account/1401896/alias/alpha.wrke.io" index="0" isDefault="true"/><md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://alpha.wrke.io/saml/SSO/account/1401896/alias/alpha.wrke.io" index="1"/><md:AttributeConsumingService index="0" isDefault="true" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
<md:ServiceName xmlns:xml="http://www.w3.org/XML/1998/namespace" xml:lang="en">Wrike</md:ServiceName>
<md:RequestedAttribute Name="firstName"/>
<md:RequestedAttribute Name="lastName"/>
</md:AttributeConsumingService></md:SPSSODescriptor></md:EntityDescriptor>
Old and new encryption certificates has the same issuer and subject.
So the question is: does ADFS supports multiple encryption certificates and how to configure it properly?
