7. Key Rollover

The use of To minimize interoperability issues, certificates should be long-lived , and self-signed certificates in metadata is strongly recommended. According to the 7. Key Rollover#SAML2int and 7. Key Rollover#MetaIOP profile, the certificate is only a public key container and no method of validating the certificate information may be used. . Note that the security of the federation is based on the signing of the metadata and not on the certificate verification chain or the lifespan of the entity certificates. Signing and encryption certificates MUST NOT be expired

1. Create a new key - pair that is compliant with the federation
2. Create a copy of Copy the existing metadata already published in the federation and add a new KeyDescriptor element containing the public key certificate. The metadata should now contain the old and the new KeyDescriptor element. If there is a KeyDescriptor for signing and one for encrypting do this for both
3. Uploaded certificate for the new key pair. Repeat this process for all KeyDescriptor elements, if applicable.
3. Upload the metadata to the fedrationfederation. Read more about how to publish metadata on the federation website
4. Wait for the new metadata to propagatebe distributed and accepted by all relevant parties.
5. Configure the software to use the new private key
6. Remove the old KeyDescriptor element from the metadata and upload it to the federation.

Example metadata with old and new public key certificatecertificates.

Code Block

language	xml
theme	Confluence

<?xml version="1.0" encoding="UTF-8"?>

...


<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://myhost.example.com/simplesaml/saml2/idp/metadata.php" ID="pfx797787f7-e5bd-acc6-89ef-4d120e679a48"

...

>
  <ds:Signature>

...


    <ds:

...

SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

...


      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>

...


      <ds:Reference URI="#pfx797787f7-e5bd-acc6-89ef-4d120e679a48"

...

>
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/

...

>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/

...

>
        </ds:

...

Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/

...

>
        <ds:DigestValue>AzMFoTwyoKc0YHcPAaYl5jPIclE=</ds:

...

DigestValue>
      </ds:

...

Reference>
    </ds:

...

SignedInfo>
    <ds:SignatureValue>Srzu2vX2+FC6tTNH+vImIdvfo8fXuWbcF4vkL3NdiTB/ZU3HTmjKg3KkNLKxw/DbGznNdnmi16ImWOqtETSbYDGPUwhYM13PvQ+OIfogmurj5sNE57pa3sg/MEOJB80A7axXCUKsOV4CqLTDZNh/d7imiS2G4VB7Kmo9o0y1ZQtkV6U5LWO87Mw9rIj+D16KiB2HVIqq/cxOJBa4A7BoVuqJi3Qsc7rDjZK8b6e/EhP1QKgfAPwmTIp7K88mfUlD3/fKo9EP5haLuXxjLLKySIwgqR56sLEwHttHMZMPg83zeOLgaeT8+qVA0NeplsM+2c5y2/OMk8vM9Q6ix7eOfg==</ds:SignatureValue>

...


    <ds:

...

KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:

...

X509Certificate>
      </ds:

...

X509Data>
    </ds:

...

KeyInfo>
  </ds:Signature>

...


  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

...


    <md:KeyDescriptor use="signing">

...


      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

...


        <ds:X509Data>

...


          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>

...


        </ds:X509Data>

...


      </ds:KeyInfo>

...


    </md:KeyDescriptor>

...


    <md:KeyDescriptor use="signing">

...


      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

...


        <ds:X509Data>

...


          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>

...


        </ds:X509Data>

...


      </ds:KeyInfo>

...


    </md:KeyDescriptor>

...


    <md:KeyDescriptor use="encryption">

...


      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

...


        <ds:X509Data>

...


          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>

...


        </ds:X509Data>

...


      </ds:KeyInfo>

...


    </md:KeyDescriptor>

...


    <md:KeyDescriptor use="encryption">

...


      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

...


        <ds:X509Data>

...


          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>

...


        </ds:X509Data>

...


      </ds:KeyInfo>

...


    </md:KeyDescriptor>

...


    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>

...


    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>

...


    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>

...


    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SSOService.php"/>

...


  </md:IDPSSODescriptor>

...


  <md:Organization>

...


    <md:OrganizationName xml:lang="en">Example organization</md:OrganizationName>

...


    <md:OrganizationName xml:lang="sv">Exempel organisation</md:OrganizationName>

...


    <md:OrganizationDisplayName xml:lang="en">Example organization</md:OrganizationDisplayName>

...


    <md:OrganizationDisplayName xml:lang="sv">Exempel organisation</md:OrganizationDisplayName>

...


    <md:OrganizationURL xml:lang="en">www.example.com</md:OrganizationURL>

...


    <md:OrganizationURL xml:lang="sv">www.example.com</md:OrganizationURL>

...


  </md:Organization>

...


  <md:ContactPerson contactType="technical" xml:lang="sv">

...


    <md:GivenName>Kalle</md:GivenName>

...


    <md:SurName>Andersson</md:SurName>

...


    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>

...


    <md:TelephoneNumber>+468123456</md:TelephoneNumber>

...


  </md:ContactPerson>

...


  <md:ContactPerson contactType="technical" xml:lang="en">

...


    <md:GivenName>Kalle</md:GivenName>

...


    <md:SurName>Andersson</md:SurName>

...


    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>

...


    <md:TelephoneNumber>+468123456</md:TelephoneNumber>

...


  </md:ContactPerson>

...


  <md:ContactPerson contactType="support" xml:lang="sv">

...


    <md:GivenName>Kalle</md:GivenName>

...


    <md:SurName>Andersson</md:SurName>

...


    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>

...


    <md:TelephoneNumber>+468123456</md:TelephoneNumber>

...


  </md:ContactPerson>

...


  <md:ContactPerson contactType="support" xml:lang="en">

...


    <md:GivenName>Kalle</md:GivenName>

...


    <md:SurName>Andersson</md:SurName>

...


    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>

...


    <md:TelephoneNumber>+468123456</md:TelephoneNumber>

...


  </md:ContactPerson>

...


</md:EntityDescriptor>

...

SAML2int

Wiki Markup

[<span style="color: #0000ee">{+}<span class="nobr"><a href="http://saml2int.org/profile/current/+" class="external-link" rel="nofollow">http://saml2int.org/profile/current/+<sup><img class="rendericon" src="/images/icons/linkext7.gif" height="7" width="7" align="absmiddle" alt="" border="0"/></sup></a></span></span>|http://saml2int.org/profile/current/]  5 Metadata and Trust Management  Identity Providers and Service Providers MUST provide a SAML 2.0 Metadata document representing its entity. How metadata is exchanged is out of scope of this specification. Provided metadata MUST conform to the SAML V2.0 Metadata Interoperability Profile Version 1.0 \[MetaIOP\].

MetaIOP

...

Page tree

Versions Compared

Old Version 2

New Version Current

Key

7. Key Rollover

SAML2int

MetaIOP

Page tree

Page History

Versions Compared

Old Version 2

New Version Current

Key

7. Key Rollover

SAML2int

MetaIOP