Editable trusted Root CA List in ACS
Today SAML Tokens which are signed using a certificate issued by a local CA cannot be validated and are therefore rejected by ACS. This is because ACS only trusts Root CAs which are on the out-of-the-box windows trusted CA List. It would be very useful for ACS Customers to decide for themselves which Root-CA they trust or not.
Joseph Crandall commented
Microsoft clearly supports full director-integrated PKI and self signed ca's and pushes that solution for on-premise products, but they don't provide that same basic feature set in aws.
please add it so we can compete with other cloud solutions.
Eric Raff commented
Very much agree. In our env, we have multiple relying parties (on prem) that are currently configured with our token signing cert. Right now I am being forced to change my adfs token signing cert so I can work with 1 ACS service provider. This means I would then need to update all of my internal relying parties to accept a new self signed cert from ADFS to get this ACS service provider to work with our env. Not excited about that. Allow ACS Customers the ability to add identity providers token signing cert per service please.
Philipp Hintermann commented
Would be very useful.