Expiring IDP signing certificate

Ullfig, Roberto Alfredo rullfig at uic.edu
Fri Jun 3 16:36:28 UTC 2022

That is a good point about the non-Shibboleth SPs.

We changed our certificate recently. The first thing we did was identify all ACTIVE service providers by searching our logs over the course of a 3 month period. We put all this information in a spreadsheet and then started extracting all the contact information from the metadata (adding that to the sheet as well). We had a script that would parse metadata repositories looking for contact information etc... For those service providers without valid contact information we had to investigate on a case by case basis - we had about 200 active service providers as I recall. We also collected application URLs and saved that information as well. Then we sent out a few directed mailings to all the contacts over the course of a few months with instructions on what they had to do. Using a development IDP server configured with the new certificate we were able to test many of the applications before we made the change and kept track of that in our spreadsheet. There were maybe a dozen SPs still broken when the change was made but they were all sorted out within a week or so. For SPs that support multiple certificates, the transition was seamless. For some SPs we coordinated with their service technicians on the day of the changeover.

Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
From: users <users-bounces at shibboleth.net> on behalf of Wessel, Keith via users <users at shibboleth.net>
Sent: Friday, June 3, 2022 11:18 AM
To: Shib Users <users at shibboleth.net>
Cc: Wessel, Keith W (UIUC) <kwessel at illinois.edu>
Subject: RE: Expiring IDP signing certificate

Shibboleth SPs won’t care if it expires. That can’t be said to be true for all SAML implementations and vendors.

And even though nothing will break, it’s high advisable to not have an expired certificate published wit your InCommon metadata.


From: users <users-bounces at shibboleth.net> On Behalf Of Ullfig, Roberto Alfredo via users
Sent: Friday, June 3, 2022 11:16 AM
To: Shib Users <users at shibboleth.net>
Cc: Ullfig, Roberto A (UIC) <rullfig at uic.edu>
Subject: Re: Expiring IDP signing certificate

If you google for "replacing IDP cert incommon" you will get some hits to useful documentation but those sites are currently unavailable. As I understand it though, that certificate expiration date is entirely advisory, nothing should break or change when that self-signed certificate expires. The expiration date is merely advising that you should periodically replace the certificate.


Roberto Ullfig - rullfig at uic.edu<mailto:rullfig at uic.edu>
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago


From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> on behalf of Ho, PeiQuan via users <users at shibboleth.net<mailto:users at shibboleth.net>>
Sent: Friday, June 3, 2022 10:51 AM
To: users at shibboleth.net<mailto:users at shibboleth.net> <users at shibboleth.net<mailto:users at shibboleth.net>>
Cc: Ho, PeiQuan <PeiQuan.Ho at tufts.edu<mailto:PeiQuan.Ho at tufts.edu>>
Subject: Expiring IDP signing certificate


  Our IDP signing certificate as used in shibboleth.DefaultSigningCredential is expiring.  It is the 10-year self-signed certificate as recommended during installation.  What is the process to update/rollover this cert with minimal impact to SPs?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220603/12c332e2/attachment.htm>

More information about the users mailing list