I have read a bit about configuring shibboleth, and recommendations for SAML at internet2
I get the point that a certificate does not have to be signed when used for SAML, because actually only the key is needed. However, I keep seeing people recommending not to use your web servers TLS certificate for signing your SAML requests.
I get that it might cause configuration problems for some types of setups where the clients aren't expected to check the whole certificates chain. But I'm currently using our TLS cert as our SAML cert, and not experiencing any problems, so it seems to work in our case.
Our cert is about to expire so I've started the progress of rolling out a new cert, which involves sending the new public key to the idp. Now our idp responds with:
I prefer to work with a self-signed certificate for SAML-signing & -encryption. I see no reason to use the webserver's certificate for this purpose.
And recommends me to create a self signed cert and trying again.
However, other people in my team don't see a reason not to use this cert, and I can't immediately find one myself. Are there any good reasons against either of these 2 aproaches?
One reason agains creating a self signed cert and using that one is that we then need another check on when this cert is about to expire, and can't forget to do a rollover, whilst now we have a check for the webservers TLS cert and a check for checking this SAML cert might be hard to set up. Why should we bother to do it if our current setup works?
Can anyone give me some hints to why either of these 2 approaches is a bad idea?