Expiring IDP signing certificate

Fri Jun 3 20:16:23 UTC 2022

I'd say that the majority of non-Shibboleth SPs don't support multiple certificates, some do but most don't. In this case it was Box. We had to open a service call with them on the day of the certificate change. I was on the phone with them, told them it was changed on our end, they then changed it on their end.

---
Roberto Ullfig - rullfig at uic.edu
Systems Administrator
Enterprise Applications & Services | Technology Solutions
University of Illinois - Chicago
________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott via users <users at shibboleth.net>
Sent: Friday, June 3, 2022 11:46 AM
To: Shib Users <users at shibboleth.net>
Cc: Cantor, Scott <cantor.2 at osu.edu>
Subject: Re: Expiring IDP signing certificate

On 6/3/22, 12:36 PM, "users on behalf of Ullfig, Roberto Alfredo via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>  For some SPs we coordinated with their service technicians on the day of the changeover.

When you're dealing with a key rollover, you don't really have "a day", that's not the best way to approach it.

You deploy both keys at once. In the initial phase, you generally start by adding the new key as a second, migrate broken SPs as you go along, and eventually you hit the point where every SP is either tagged to use the old or new key, and you're ready to flip the default key. And then you spend more weeks and months migrating anything still tagged to use the old key until you're finally off it.

I did an example of mechanically how to do some aspects of this, though it's ultimately an organic and somewhat locally-dependent process.

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fspaces%2FIDP4%2Fpages%2F2986475557%2FMetadataDrivenConfigurationExamples&data=05%7C01%7Crullfig%40uic.edu%7Cc9be22496f7c4b61ede908da45809bf8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637898715930858896%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=94sWJCdm4ZneN37JuILLumBSiQbsQAXAE0lwof93%2F9o%3D&reserved=0

-- Scott

--
For Consortium Member technical support, see https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=05%7C01%7Crullfig%40uic.edu%7Cc9be22496f7c4b61ede908da45809bf8%7Ce202cd477a564baa99e3e3b71a7c77dd%7C0%7C0%7C637898715930858896%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=D7uZIrnWipZWvDZPTe2CCkkjC7h4q%2FCI5vM6CbtQL80%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220603/3bf40100/attachment.htm>