Your certificate is used for signing SAML messages you send as well as encrypting the SAML assertion you receive. You can tell from the PartnerIdentityProviderConfiguration whether or not you're signing SAML messages sent to them (eg SignAuthnRequest etc). You can also tell whether you want the SAML assertions encrypted (ie WantAssertionEncrypted). However, there isn't an easy way to tell that the identity provider will encrypt the SAML assertion regardless. My recommendation, if possible, is to ask those identity providers for whom WantAssertionEncrypted is false to not encrypt the SAML assertion. If it's their requirement that they encrypt the SAML assertion then set WantAssertionEncrypted to true to match this requirement. You can then say any identity provider with Sign* or WantAssertionEncrypted true should be given the new certificate. You might also like to take a look at the "Certificate Rollover" section of the Certificate Guide. https://www.componentspace.com/forums/8238/Certificate-GuideIt outlines some strategies for staggered certificate rollovers etc. You can also configure multiple certificates. This will help if an identity provider is still using your old certificate for the SAML assertion encryption.
Regards ComponentSpace Development
|