migrating to a new metadata signing key
Cantor, Scott
cantor.2 at osu.edu
Fri Jan 3 12:29:12 EST 2014
On 1/3/14, 12:17 PM, "Tom Scavo" <trscavo at gmail.com> wrote:
>Is it possible to configure Shibboleth (SP or IdP) with *two* metadata
>signing certificates (containing different keys) so that a federation
>could painlessly migrate to a new metadata signing key?
The SP definitely, the IdP I assume, but haven't tried. In both cases, it
would rely on a chaining credential resolver configured into the Metadata
filter that verifies the signature.
With the SP, you just do something like:
<MetadataFilter type="Signature">
<CredentialResolver type="Chaining">
<CredentialResolver type="File" certificate"one.pem"/>
<CredentialResolver type="File" certificate"two.pem"/>
</Credentialresolver>
</MetadataFilter>
Pretty sure the IdP has the same chaining ability the SP does since I
copied it from Brent. I think with the IdP, you have to use an actual
TrustEngine in the filter, but the TrustEngine can certainly be configured
to try multiple keys in a chain, just like we do in metadata when there
are multiple keys.
-- Scott
More information about the users
mailing list