Versions Compared

Old Version 4

changes.mady.by.user Stefan Halen

Saved on

compared with

New Version Current

changes.mady.by.user Stefan Halen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


1. Create a new key pair that is compliant with the federation
2. Create a copy of Copy the existing metadata already published in the federation and add a new KeyDescriptor element containing the public key certificate. The metadata should now contain the old and the new KeyDescriptor element. If there is a KeyDescriptor for signing and one for encrypting do this for both
3. Uploaded certificate for the new key pair. Repeat this process for all KeyDescriptor elements, if applicable.
3. Upload the metadata to the federation. Read more about how to publish metadata on the federation website
4. Wait for the new metadata to propagatebe distributed and accepted by all relevant parties.
5. Configure the software to use the new private key
6. Remove the old KeyDescriptor element from the metadata and upload it to the federation.

Example metadata with old and new public key certificates.

Code Block
languagexml
themeConfluence
<?xml version="1.0" encoding="UTF-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://myhost.example.com/simplesaml/saml2/idp/metadata.php" ID="pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
  <ds:Signature>
    <ds:SignedInfo>
      <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
      <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
      <ds:Reference URI="#pfx797787f7-e5bd-acc6-89ef-4d120e679a48">
        <ds:Transforms>
          <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
          <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
        </ds:Transforms>
        <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <ds:DigestValue>AzMFoTwyoKc0YHcPAaYl5jPIclE=</ds:DigestValue>
      </ds:Reference>
    </ds:SignedInfo>
    <ds:SignatureValue>Srzu2vX2+FC6tTNH+vImIdvfo8fXuWbcF4vkL3NdiTB/ZU3HTmjKg3KkNLKxw/DbGznNdnmi16ImWOqtETSbYDGPUwhYM13PvQ+OIfogmurj5sNE57pa3sg/MEOJB80A7axXCUKsOV4CqLTDZNh/d7imiS2G4VB7Kmo9o0y1ZQtkV6U5LWO87Mw9rIj+D16KiB2HVIqq/cxOJBa4A7BoVuqJi3Qsc7rDjZK8b6e/EhP1QKgfAPwmTIp7K88mfUlD3/fKo9EP5haLuXxjLLKySIwgqR56sLEwHttHMZMPg83zeOLgaeT8+qVA0NeplsM+2c5y2/OMk8vM9Q6ix7eOfg==</ds:SignatureValue>
    <ds:KeyInfo>
      <ds:X509Data>
        <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </ds:Signature>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example organization</md:OrganizationName>
    <md:OrganizationName xml:lang="sv">Exempel organisation</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example organization</md:OrganizationDisplayName>
    <md:OrganizationDisplayName xml:lang="sv">Exempel organisation</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">www.example.com</md:OrganizationURL>
    <md:OrganizationURL xml:lang="sv">www.example.com</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="technical" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
</md:EntityDescriptor>

...