When we use the HTTPMetadataProvider:
On return from the IDP, we get a
java.security.cert.CertificateException: Peer SSL/TLS certificate is not trusted, add the certificate to your trust store and update tlsKey in extended metadata with the certificate alias.
To overcome this we wrap the HTTPMetadataProvider in an ExtendedMetadataDelegate and provide a tlsKey which is the SSL certificate presented by the IDP. This should probably be handled by the HTTPMetadataProvider so the wrapping should be unnecessary. We also tried to give the CA certificate used to sign the SSL certificate but that did not work either, which will pose a maintenance nightmare.