The term key rollover refers to a process whereby one key is systematically replaced by another key in SAML metadata. Since SAML entities (and therefore SAML metadata) are distributed, key rollover must be deliberate, so as not to break the key operations of a relying party.
The general process of rolling over a key in an IdP without causing unnecessary downtime is as follows:
- Create a new key pair for signing and SSL/TLS
- Add the new KeyDescriptor to your metadata
- Send the new metadata to Operations and wait for the newly updated metadata to propagate throughout the Federation.
- Reconfigure the IdP software to use the new key (instead of the old key) as the signing key and the SSL/TLS key
- Remove the old KeyDescriptor from your metadata and send the new metadata to Operations.
The following describes the process in detail for Shibboleth IdPs. The information can be used as inspiration for other IdP implementations.
NOTES:
From Internet2 wiki:
All key descriptors in Shibboleth IdP metadata are of the form <md:KeyDescriptor use="signing">
The majority of xml files under swamid-2.0/ metadata use a KeyDescriptor without the use="Signing" attribute - according to the wiki (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPKeyRollover) this is a bug. Do we need to correct this before we can perform key rollover??? Presumably not: see swamid.user.uu.se-idp-shibboleth.xml