SP Key Rollover with IdP encryptAssertions="conditional"

Tom Scavo trscavo at gmail.com
Thu Sep 22 13:22:03 BST 2011

On Wed, Sep 21, 2011 at 8:38 PM, Leung, Warren <wleung at it.ucla.edu> wrote:
> We have a SP where a certificate is expiring soon, so we wanted to do an
> SP key rollover.  We added another KeyDescriptor(2 total) into the IdP
> metadata both with no use attribute.

I think you mean SP metadata. Strictly speaking, you don't need two
encryption keys in SP metadata.

> The relying-party.xml is configured like the following for SAML2.

At the IdP? You shouldn't have to muck with the IdP's config to
rollover a key at the SP.

> Is there some configuration or a step I missed that would resolve this?

Yes, at the SP (others have provided pointers). If this is an InCommon
SP (and maybe even if it isn't), you might want to read this doc:


Hope this helps,

More information about the users mailing list