For IDP AuthnRequest force use of EB's default key

[tvdijen]

In addition to https://github.com/OpenConext/OpenConext-engineblock/pull/1231 we see the same incorrect behaviour towards IDPs when an SP uses the key-slug SSO-endpoints.

The default key should always be used for signed AuthnRequests towards IDPs

[thijskh]

I cannot reproduce this.

Given:

• Have an EB with two keys configured.
• Configure one SP with keyID 2018 (default), the other with keyID 2023
• Have IdP which receives signed authnrequests

Then:

• When IdP has certificate 2018 configured, both SP's can successfully login.
• When IdP has certificate 2023 configured, both SP's can not log in (idp errors with cannot verify signature on authnrequest)

[tvdijen]

@ArnoutvdKnaap Please follow this up

[thijskh]

It seems we're able to reproduce it. Will test further.