SP Key Rollover with IdP encryptAssertions="conditional"

Cantor, Scott cantor.2 at osu.edu
Thu Sep 22 18:54:22 BST 2011

On 9/22/11 12:31 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>> If you had complete control
>> of everything I could see how you wouldn't need it 2 though.
>You only need complete control at the SP. If you needed to control the
>IdP as well, then key rollover would be impossible in all but the
>simplest deployments.

You do need an IdP using metadata predictably and keeping it in sync. That
is often not the case if the IdP isn't Shibboleth or SSP, so in such
cases, it is in fact royally difficult/impossible.

-- Scott

More information about the users mailing list