diff --git a/lib/saml_idp/service_provider.rb b/lib/saml_idp/service_provider.rb
index 88a4cb67..4124e359 100644
--- a/lib/saml_idp/service_provider.rb
+++ b/lib/saml_idp/service_provider.rb
@@ -6,8 +6,7 @@ module SamlIdp
   class ServiceProvider
     include Attributeable
     attribute :identifier
-    attribute :cert
-    attribute :fingerprint
+    attribute :certs
     attribute :metadata_url
     attribute :validate_signature
     attribute :acs_url
@@ -15,18 +14,30 @@ class ServiceProvider
 
     delegate :config, to: :SamlIdp
 
+    attr_reader :matching_cert
+
     def valid?
       attributes.present?
     end
 
     def valid_signature?(doc, require_signature = false, options = {})
       if require_signature || should_validate_signature?
-        doc.valid_signature?(fingerprint, options.merge(cert: cert))
+        Array(certs).any? do |cert|
+          if doc.valid_signature?(fingerprint_cert(cert), options.merge(cert: cert))
+            @matching_cert = cert
+            true
+          end
+        end
       else
         true
       end
     end
 
+    # @param [OpenSSL::X509::Certificate] ssl_cert
+    def fingerprint_cert(ssl_cert)
+      OpenSSL::Digest::SHA256.new(ssl_cert.to_der).hexdigest
+    end
+
     def should_validate_signature?
       attributes[:validate_signature] ||
         current_metadata.respond_to?(:sign_assertions?) && current_metadata.sign_assertions?
diff --git a/lib/saml_idp/version.rb b/lib/saml_idp/version.rb
index 8412c8ab..17e2a9b4 100644
--- a/lib/saml_idp/version.rb
+++ b/lib/saml_idp/version.rb
@@ -1,4 +1,4 @@
 # encoding: utf-8
 module SamlIdp
-  VERSION = '0.12.2-18f'.freeze
+  VERSION = '0.13.0-18f'.freeze
 end
diff --git a/spec/lib/saml_idp/controller_spec.rb b/spec/lib/saml_idp/controller_spec.rb
index 4810e703..a5521d5e 100644
--- a/spec/lib/saml_idp/controller_spec.rb
+++ b/spec/lib/saml_idp/controller_spec.rb
@@ -26,9 +26,10 @@ def head(status, options = {})
       SamlIdp.configure do |config|
         config.service_provider.finder = lambda do |_|
           {
-            cert: SamlIdp::Default::X509_CERTIFICATE,
+            certs: [
+              OpenSSL::X509::Certificate.new(Base64.decode64(SamlIdp::Default::X509_CERTIFICATE))
+            ],
             private_key: SamlIdp::Default::SECRET_KEY,
-            fingerprint: SamlIdp::Default::FINGERPRINT,
             assertion_consumer_logout_service_url: 'http://foo.example.com/sp-initiated/slo'
           }
         end
diff --git a/spec/lib/saml_idp/service_provider_spec.rb b/spec/lib/saml_idp/service_provider_spec.rb
index 6b34474d..5b6b950d 100644
--- a/spec/lib/saml_idp/service_provider_spec.rb
+++ b/spec/lib/saml_idp/service_provider_spec.rb
@@ -4,19 +4,13 @@ module SamlIdp
     subject { described_class.new attributes }
     let(:attributes) { {} }
 
-    it { is_expected.to respond_to :fingerprint }
     it { is_expected.to respond_to :metadata_url }
     it { is_expected.not_to be_valid }
 
     describe "with attributes" do
-      let(:attributes) { { fingerprint: fingerprint, metadata_url: metadata_url } }
-      let(:fingerprint) { Default::FINGERPRINT }
+      let(:attributes) { { metadata_url: metadata_url } }
       let(:metadata_url) { "http://localhost:3000/metadata" }
 
-      it "has a valid fingerprint" do
-        expect(subject.fingerprint).to eq(fingerprint)
-      end
-
       it "has a valid metadata_url" do
         expect(subject.metadata_url).to eq(metadata_url)
       end