Cliquez ici pour la version française

IdP SAML certificate rollover instructions

References :

When do I need to perform SAML certificate rollover ?

An IdP administrator have to renew the SAML certificate when:

  1. the certificate has expired;
  2. the certificate have a too small key size;
  3. the private key had been compromised.

Managing the rollover through the federation registry

The federation registry allows SAML entities administrators to declare two different certificates per entity in order to manage the transition time.

Though, some SAML implementations (e.g. simpleSAMLphp) do only use the first certificate present for a given entity in the metadata. If an SP adds a second (new) certificate for the transition period, it will only appear for “signing” usage in the KeyDescriptor XML tag. No transition time is possible if encryption is enabled. You should disable the SP option that force encrypted responses from IdP during the shift period.