SP Key Rollover with IdP encryptAssertions="conditional"

Peter Schober peter.schober at univie.ac.at
Thu Sep 22 19:15:01 BST 2011

* Tom Scavo <trscavo at gmail.com> [2011-09-22 18:39]:
> On Thu, Sep 22, 2011 at 12:21 PM, Christopher Bongaarts <cab at umn.edu> wrote:
> >
> > Step 1: configure credential resolvers on SP so it accepts messages
> > encrypted with either the old or new key
> > Step 2: provide updated metadata to IdPs with the new key (only)
> > Step 3: wait till all IdPs are using the new key
> > Step 4: remove the old key from your SP configuration
> If the metadata contains a key descriptor with use="encryption", then
> that's about right. If, OTOH, the metadata contains a key descriptor
> with no use attribute, then it's a bit more complicated than that.

Would the above (by Christopher) still work without specifying a use
if the SP never signes requests and the IdP pushes attributes to the
SP (i.e., no SOAP queries to verify)?

More information about the users mailing list