updating SP's signing cert in metadata

IAM David Bantz dabantz at alaska.edu
Thu Oct 12 14:44:27 EDT 2017

metadata markup says the cert is for signing; can I rely on that?

      <md:KeyDescriptor use="signing">
>          <ds:KeyInfo>
>             <ds:X509Data>
>                <ds:X509Certificate>...

On Thu, Oct 12, 2017 at 10:34 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:

> On 10/12/17, 2:30 PM, "users on behalf of IAM David Bantz" <
> users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
> > I think I can ease the transition by adding the new cert initially
> without removing the old in their metadata, and the IdP is smart
> > enough to rely on the right cert; then after the switch is verified,
> remove the old. Am I correct?
> Depends on whether it's used for signing, encryption, or both and what
> Salesforce itself is doing. You can't have a key in the metadata the IdP
> might pick to encrypt with if the other end doesn't know to use it.
> -- Scott
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171012/8c914c75/attachment.html>

More information about the users mailing list