During the development of OpenAthens SP we made a design decision to omit support for IdPs using PKIX rather than the more common method of in lining certificates within their metadata.
In making this decision we looked at the UK Access Management Federation's technical specifications noting that "the PKIX-based trust mechanism [is] falling out of favour internationally, and being gradually replaced in most environments by the direct embedding approach as defined in the [SAML2MIOP] specification" (section 2, page 5). While the UKAMF do not forbid the method used, their recommendations clearly favour the embedded method:
- "We recommend, however, verifying a <KeyDescriptor> (or all available <KeyDescriptor>s, when appropriate) using the direct key scheme" (section 2.1, page 7)
- "In the longer term, however, the contents of the export aggregate may be based instead on all entities from the normal aggregates which meet appropriate technical eligibility criteria. One likely requirement is that entities included in the export aggregate include embedded key material, so that they can participate in trust fabrics independent of the UK federation's selection of PKIX trust roots" (section 4.5.3, page 17).
That being the case we do recognise a number of IdPs are using this method and so will reassess including this functionality in later releases of OpenAthens SP.