SP Key Rollover with IdP encryptAssertions="conditional"
cab at umn.edu
Thu Sep 22 17:21:57 BST 2011
Leung, Warren wrote:
>> I think you mean SP metadata. Strictly speaking, you don't need two
>> encryption keys in SP metadata.
> If you can't time the metadata loading with when the SP changes the
> cert/key, then wouldn't you have to have 2? If you had complete control
> of everything I could see how you wouldn't need it 2 though.
Step 1: configure credential resolvers on SP so it accepts messages
encrypted with either the old or new key
Step 2: provide updated metadata to IdPs with the new key (only)
Step 3: wait till all IdPs are using the new key
Step 4: remove the old key from your SP configuration
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users