IDP 3.4.3 Expiring Signing Certtificate Rollover

Thomas, Richard C. rcthomas at utmb.edu
Tue Feb 4 18:57:32 EST 2020 

Have SPs pointing to expiring signing cert point to new cert when they receive updated IDP metadata.
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Tuesday, February 4, 2020 5:38:35 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: IDP 3.4.3 Expiring Signing Certtificate Rollover

WARNING: This email originated from outside of UTMB's email system. Do not click links or open attachments unless you recognize the sender and know the content is safe.


> I have verified that old and new signing cert works but only one at a time
> depending on which bean is not commented out or which bean is first within
> util:list in credentials.xml

What exactly are you expecting to happen? Any given security and signing configuration is going to use exactly one key, and other than exceptional cases involving different key types, there's no concept of picking a key based on anything other than a local decision over which key to use.

> Haven't found other documentation.

Controlling credentials is documented in [1]

-- Scott

[1] https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fdisplay%2FIDP30%2FSecurityConfiguration&data=02%7C01%7Crcthomas%40utmb.edu%7Cc54b14a646ce4c6edb3b08d7a9cb6851%7C7bef256d85db4526a72d31aea2546852%7C0%7C0%7C637164563421032010&sdata=uiDU663bU987Apw%2BR3844t6%2BalVutwtrYy4%2FShk7aJM%3D&reserved=0
--
For Consortium Member technical support, see https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwiki.shibboleth.net%2Fconfluence%2Fx%2FcoFAAg&data=02%7C01%7Crcthomas%40utmb.edu%7Cc54b14a646ce4c6edb3b08d7a9cb6851%7C7bef256d85db4526a72d31aea2546852%7C0%7C0%7C637164563421032010&sdata=JRBAug%2FkBw3XnYYx26YNr9XK5CPFsdO5C3AYeL3lPPU%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200204/68d99b36/attachment.html>

More information about the users mailing list