OpenSAML user discussion

[Chris Card <>]

> > Hi,
> > do the SAML specs give any guidance on how to manage certificates used
> > to verify signatures on AuthnRequests and Assertions, especially in
> > the case where there are multiple IDPs talking to an SP. For example, if
> > the SP certificate changes, the consequent metadata change must be
> > propagated to all
> > the IDPs, and while the propagation is happening there's a time window
> > where it's possible that an IDP will reject an AuthnRequest because it
> > hasn't received the new certificate.
> >> Date: Fri, 7 Jan 2011 08:18:02 -0500
> From:
> To:
> Subject: Re: [OpenSAML] certificate management
>
> No, trust establishment is specifically out of scope. Shib embeds the
> certs in metadata and checks against that. Most other products do use
> metadata so they do something else.
>
> In terms of key rollover we just put both keys in the metadata for a
> period of time and then pull the old one when we think everyone has had
> enough time to get the new metadata.
>
thanks Chad, that sounds like a good idea.

Chris