SP certificate - per app or per app-instance
I have a SAML SP app implemented with simpleSamlPHP (http://simplesamlphp.org/).
the application can be used by multiple independent organizations (think of a CMS as example).
in order to be able to support some Shibboleth IdPs requirements I have to have my application encrypt its SAML assertions, so I need to work with certificate and provide the IdP with my certificate.
my question is:
should I generate a certificate and private key once for my application, so that all orgazniations (all deployments of the app) will use the same key and certificate? (that would make life easier in terms of setup as well as publishing metadata of my SP).
or should I generate a certificate and private key for every installation of the application? (which means I can only provide metadata of SP after application is installed and certificate has been generated)