Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents
maxLevel2
minLevel2

The term key rollover refers to a process whereby one key is systematically replaced by another key in SAML metadata. Since SAML entities (and therefore SAML metadata) are distributed, key rollover must be deliberate, so as not to break the key operations of a relying party. 

The general process of rolling over a metadata key in an IdP without causing unnecessary downtime is as follows.

  1. Create a new key pair for signing metadata
  2. Add the new KeyDescriptor to your metadata
  3. Publish your new metadata in the SAML Federation (using metadata.swamid.se in SWAMID)
  4. Wait until the newly updated metadata is propagated throughout the Federation
  5. Reconfigure the IdP software to use the new key (instead of the old key) as the signing key
  6. Remove the old KeyDescriptor from your metadata and publish your metadata without the old key in the SAML Federation

If you need to replace the front end SSL/TLS key, you do not need to send anything to Operations.

Different KeyDescriptors

The KeyDescriptor stores a certificate, BUT the only interesting part are the public-key stored inside the certificate! The private part of the key is stored on the machine responsible for the Entity,

...