SP Key Rollover with IdP encryptAssertions="conditional"

Tom Scavo trscavo at gmail.com
Thu Sep 22 21:26:37 BST 2011

On Thu, Sep 22, 2011 at 2:15 PM, Peter Schober
<peter.schober at univie.ac.at> wrote:
> * Tom Scavo <trscavo at gmail.com> [2011-09-22 18:39]:
>> On Thu, Sep 22, 2011 at 12:21 PM, Christopher Bongaarts <cab at umn.edu> wrote:
>> >
>> > Step 1: configure credential resolvers on SP so it accepts messages
>> > encrypted with either the old or new key
>> > Step 2: provide updated metadata to IdPs with the new key (only)
>> > Step 3: wait till all IdPs are using the new key
>> > Step 4: remove the old key from your SP configuration
>> If the metadata contains a key descriptor with use="encryption", then
>> that's about right. If, OTOH, the metadata contains a key descriptor
>> with no use attribute, then it's a bit more complicated than that.
> Would the above (by Christopher) still work without specifying a use
> if the SP never signes requests and the IdP pushes attributes to the
> SP (i.e., no SOAP queries to verify)?

Yes, but that's a hefty "if". In the InCommon Federation, for example,
we have data that suggests the vast majority of transactions are still
SAML1 and I'm fairly certain that almost all of them are doing
attribute query.


More information about the users mailing list