...

The following describes the process in detail for Shibboleth IdPs. The information can be used as inspiration for other IdP implementations.

NOTES:
From Internet2 wiki:
All key descriptors in Shibboleth IdP metadata are of the form <md:KeyDescriptor use="signing">
The majority of xml files under swamid-2.0/ metadata use a KeyDescriptor without the use="Signing" attribute - according to the wiki (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPKeyRollover) this is a bug. Do we need to correct this before we can perform key rollover??? Presumably not: see swamid.user.uu.se-idp-shibboleth.xml