We are trying to implement a smooth rollover for our saml 2 service provider signing certificates.
We have created new certificates with a notBefore at the date of the rollover in the future. Those certificates are exposed on our metadata endpoint, along the certificates currently used to sign saml messages. They are not yet valid since the notBefore property is in the future. Our service provider will start using them when they become valid.
However some partners are having issues with their identity providers complaining that the new certificate is not yet valid.
So my question is the following: are we allowed to expose future certificates that are not yet valid? If not, how are we supposed to manage the signing certificate rollover in saml 2?
Unfortunately the SAML specification doesn't address how certificate roll over should be handled. Therefore, there's no consistent approach.
What you're doing seems reasonable but then I can also understand why some partners would complain about a certificate that isn't (yet) valid.
Some providers simply update their published SAML metadata at the time of certificate roll over. In other words, the metadata contains the current certificate only rather than any past or future certificates. This then places the onus on the partners to ensure they monitor the metadata and switch the certificate immediately.
Of course, this isn't always practicable. In my experience, it's usually best to communicate with the partners that the certificate will roll over on a certain date and provide them with the new certificate and/or metadata prior to that date. Partners should handle signatures generated by either the new or old certificate for an interval of time around the roll over date to ensure a smooth transition. On the roll over date, you'd also publish the new metadata.
You'd probably want an overlap between the old certificate's NotAfter and the new certificate's NotBefore.