SP Key Rollover with IdP encryptAssertions="conditional"

Tom Scavo trscavo at gmail.com
Thu Sep 22 17:31:31 BST 2011

On Thu, Sep 22, 2011 at 11:50 AM, Leung, Warren <wleung at it.ucla.edu> wrote:
>>I think you mean SP metadata. Strictly speaking, you don't need two
>>encryption keys in SP metadata.
> If you can't time the metadata loading with when the SP changes the
> cert/key, then wouldn't you have to have 2?

In metadata? No.

> If you had complete control
> of everything I could see how you wouldn't need it 2 though.

You only need complete control at the SP. If you needed to control the
IdP as well, then key rollover would be impossible in all but the
simplest deployments.


More information about the users mailing list