OpenSAML user discussion

[Chad La Joie <>]

No, trust establishment is specifically out of scope.  Shib embeds the 
certs in metadata and checks against that.  Most other products do use 
metadata so they do something else.

In terms of key rollover we just put both keys in the metadata for a 
period of time and then pull the old one when we think everyone has had 
enough time to get the new metadata.

On 1/7/11 8:15 AM, Chris Card wrote:
> Hi,
> do the SAML specs give any guidance on how to manage certificates used
> to verify signatures on AuthnRequests and Assertions, especially in
> the case where there are multiple IDPs talking to an SP. For example, if
> the SP certificate changes, the consequent metadata change must be
> propagated to all
> the IDPs, and while the propagation is happening there's a time window
> where it's possible that an IDP will reject an AuthnRequest because it
> hasn't received the new certificate.
>
> Chris

--
Chad La Joie
http://itumi.biz
trusted identities, delivered