The check_idp_cert_expiry should improved as follows:
If true and there are multiple IdP certs, we should skip expired IdP certs and use the first one which is not expired. We should only raise the "IdP cert expired" error if there are no non-expired certs.
If true, we should check the e not_before condition (not yet ready). Currently we only check the not_after condition (expired).
The
check_idp_cert_expiry
should improved as follows:not_before
condition (not yet ready). Currently we only check thenot_after
condition (expired).The corresponding changes for SP certs are done here: https://github.com/SAML-Toolkits/ruby-saml/pull/673