SP Key Rollover with IdP encryptAssertions="conditional"

Christopher Bongaarts cab at umn.edu
Thu Sep 22 17:21:57 BST 2011

Leung, Warren wrote:

>> I think you mean SP metadata. Strictly speaking, you don't need two
>> encryption keys in SP metadata.
> If you can't time the metadata loading with when the SP changes the
> cert/key, then wouldn't you have to have 2?  If you had complete control
> of everything I could see how you wouldn't need it 2 though.

Step 1: configure credential resolvers on SP so it accepts messages 
encrypted with either the old or new key
Step 2: provide updated metadata to IdPs with the new key (only)
Step 3: wait till all IdPs are using the new key
Step 4: remove the old key from your SP configuration

%%  Christopher A. Bongaarts   %%  cab at umn.edu          %%
%%  OIT - Identity Management  %%  http://umn.edu/~cab  %%
%%  University of Minnesota    %%  +1 (612) 625-1809    %%

More information about the users mailing list