Adding Another IDP Signing Certificate in Shib 3.x SP

[Mak, Steve]

I want to make sure you were aware that there are two potentially two different signing certs in play here:  the idp metadata signing cert and the idp's SAML response/assertion signing cert.  They might be the same, but they also might not be.

If the IdP is updating the idp-metadata signing cert you add the new CredentialResolver.  If the IdP is only updating their SAML response/assertion signing cert you only have to make sure it's part of their published idp-metadata, but that will probably automatically happen without you needing to do anything.

-Steve

On 2/10/20, 08:17, "users on behalf of Bhagwat, Shrikant" <users-bounces at shibboleth.net on behalf of shrbhagw at med.umich.edu> wrote:

Thanks. Let me try this 


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Alan Buxey
Sent: Monday, February 10, 2020 3:53 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Adding Another IDP Signing Certificate in Shib 3.x SP

External Email - Use Caution

change your <MetadataFilter type="Signature"
certificate="Lab-WebloginFull.pem"/> to eg

<MetadataFilter type="Signature">
        <CredentialResolver type="Chaining">
                <CredentialResolver type="File"
certificate"Lab-WebloginFull.pem"/>
                <CredentialResolver type="File"
certificate"New-Lab-WebloginFull.pem/>
        </Credentialresolver>
</MetadataFilter>

??

alan
-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

**********************************************************
Electronic Mail is not secure, may not be read every day, and should not be used for urgent or sensitive issues 

-- 
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net