The check_idp_cert_expiry should improved as follows:
If true and there are multiple IdP certs, we should skip expired IdP certs and use the first one which is not expired. We should only raise the "IdP cert expired" error if there are no non-expired certs.
If true, we should check the e not_before condition (not yet ready). Currently we only check the not_after condition (expired).
The
check_idp_cert_expiryshould improved as follows:not_beforecondition (not yet ready). Currently we only check thenot_aftercondition (expired).The corresponding changes for SP certs are done here: https://github.com/SAML-Toolkits/ruby-saml/pull/673