SP Key Rollover with IdP encryptAssertions="conditional"

Cantor, Scott cantor.2 at osu.edu
Thu Sep 22 01:50:18 BST 2011

On 9/21/11 8:38 PM, "Leung, Warren" <wleung at it.ucla.edu> wrote:
>We have a SP where a certificate is expiring soon, so we wanted to do an
>SP key rollover.  We added another KeyDescriptor(2 total) into the IdP
>metadata both with no use attribute.  After the metadata is refreshed into
>the IdP we get the following error on the SP
>2011-09-21 15:51:01 ERROR Shibboleth.SSO.SAML2 [1]: Unable to resolve any
>key decryption keys.

You can't add an encryption key to the metadata if the SP doesn't have
access to it. The IdP is allowed to pick any key to encrypt with, and
you'd better be able to decrypt.

That said, if you put that new key first, that's basically asking any
typical IdP to use it for encryption. You can't do it that way.

>Since we are pushing attributes to the SP, the IdP will pick a certificate
>to encrypt the assertion to the SP and if it is wrong then the error
>occurs.  If it was a pull the SP would present a cert and thus the IdP
>would know what to use to encrypt it back to the SP.  Is my understanding
>of this correct?


>Is there some configuration or a step I missed that would resolve this?

Yes, using the SP configuration to configure the new key for decryption
only before adding it to the metadata and then swapping things.


There are other ways, which require control over metadata key usage bits.
They're all comparatively similar.

-- Scott

More information about the users mailing list