I have a saml.config based configuration, a certificate that's expiring soon, and new one in hand.
Am I correct to assume that the Secondary and Tertiary Certificate configuration options are for handling certificate expiration issues on the SP and IdP sides? I found nothing in the Developer Guide, or in the forums that addresses the use cases for these certificates, or how they are processed during inbound or outbound SSO.
Let's consider the inbound SSO first. (These are unsolicited SAML Responses from a partner IdP to my site.) If I add the SecondaryLocalCertificateFile in my <ServiceProvider> stanza, can I support (A) incoming SSOs from partners still using my old certificate, and (B) incoming SSOs from partners who have updated on their side to use my new certificate? Does the toolkit try signature verification with the primary certificate first, then the secondary, etc?
Now the outbound case, where my site is the IdentityProvider. I have, say, 20 service providers to whom I send unsolicited SAML Responses. How can I handle the certificate update here? Do I add the SecondaryLocalCertificateFile setting to my <IdentityProvider> stanza? (That didn't throw an exception when I tried it.) Then, how do I configure each <PartnerServiceProvider> to identify which certificate to use to sign the Response? PartnerCertificateFile is the partner's certificate used for encryption, so I know it's not that. Is it LocalConfigurationFile?
These are guesses, though. I would appreciate any guidance on how this all works, or a pointer to some documentation that addresses certificate expiration using the toolkit.
|