Expiring IDP signing certificate

Cantor, Scott cantor.2 at osu.edu
Fri Jun 3 21:01:38 UTC 2022

On 6/3/22, 4:16 PM, "users on behalf of Ullfig, Roberto Alfredo via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    I'd say that the majority of non-Shibboleth SPs don't support multiple certificates, some do but most don't.

Deploying multiple keys not only doesn't imply publishing metadata with 2, but it mandates you don't until specific windows. Even aside from that, almost nothing that doesn't support multiple keys consumes metadata anyway, let alone federation-published metadata.

I think I hit one in total, the truly horrendous Cornerstone, which I never should have pushed toward InCommon.

> In this case it was Box. We had to open a service call with them on the day of the certificate change.

Yes, but the "day of the change" should be the day you change the tag on Box's metadata. Which is not the day you need to change everything else or anything else.

Creating a flag day is unnecessary and greatly complicates this kind of change.

-- Scott

More information about the users mailing list