updating SP's signing cert in metadata
IAM David Bantz
dabantz at alaska.edu
Thu Oct 12 14:44:27 EDT 2017
metadata markup says the cert is for signing; can I rely on that?
<md:KeyDescriptor use="signing">
> <ds:KeyInfo>
> <ds:X509Data>
> <ds:X509Certificate>...
On Thu, Oct 12, 2017 at 10:34 AM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 10/12/17, 2:30 PM, "users on behalf of IAM David Bantz" <
> users-bounces at shibboleth.net on behalf of dabantz at alaska.edu> wrote:
>
> > I think I can ease the transition by adding the new cert initially
> without removing the old in their metadata, and the IdP is smart
> > enough to rely on the right cert; then after the switch is verified,
> remove the old. Am I correct?
>
> Depends on whether it's used for signing, encryption, or both and what
> Salesforce itself is doing. You can't have a key in the metadata the IdP
> might pick to encrypt with if the other end doesn't know to use it.
>
> -- Scott
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20171012/8c914c75/attachment.html>
More information about the users
mailing list