Question about relying-party-system.xml

Ullfig, Roberto Alfredo rullfig at
Wed Jun 30 18:48:15 UTC 2021

Yes, understand all that. Service owners have long been notified - some applications have been tested with the new certificate, etc. We've even encountered an SP that broke when we added the second certificate to federated metadata. I think we've prepared as much as we could. Major applications should be fine - there might be a few that break though.

Roberto Ullfig - rullfig at
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: users <users-bounces at> on behalf of Cantor, Scott <cantor.2 at>
Sent: Wednesday, June 30, 2021 1:36 PM
To: Shib Users <users at>
Subject: Re: Question about relying-party-system.xml

On 6/30/21, 2:20 PM, "users on behalf of Ullfig, Roberto Alfredo" <users-bounces at on behalf of rullfig at> wrote:

>    Thanks! Are there any potential issues with switching from a SHA1 signing certificate to a SHA 256 signing
> certificate? Could any SP be impacted by this?

Yes, not because it's a SHA-2 certificate but because you're *changing your certificate*. That is going to break a ton of stuff.

If it's not Shibboleth, there is no standard governing its behavior and no documentation as to how it does what it does.

So the answer is that you cannot hope to predict anything about it, which is why key changes are so painful. There are a huge number of systems that treat a certificate change as equivalent to a key change. Shibboleth just doesn’t happen to be one of them.

-- Scott

For Consortium Member technical support, see
To unsubscribe from this list send an email to users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list