SP Key Rollover with IdP encryptAssertions="conditional"

Tom Scavo trscavo at gmail.com
Thu Sep 22 17:39:09 BST 2011

On Thu, Sep 22, 2011 at 12:21 PM, Christopher Bongaarts <cab at umn.edu> wrote:
> Step 1: configure credential resolvers on SP so it accepts messages
> encrypted with either the old or new key
> Step 2: provide updated metadata to IdPs with the new key (only)
> Step 3: wait till all IdPs are using the new key
> Step 4: remove the old key from your SP configuration

If the metadata contains a key descriptor with use="encryption", then
that's about right. If, OTOH, the metadata contains a key descriptor
with no use attribute, then it's a bit more complicated than that.


More information about the users mailing list