Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-3493

Update SAML to support multiple keys (key rollover)

    Details

    • Support Ticket IDs:

      Description

      Request from User:

      The SAML metadata allows multiple KeyDescriptor elements in RoleDescriptor which should mean that both SPSSODescriptor and IDPSSODescriptor can support multiple encryption keys but it seems OpenAM only uses the first one.

      This makes certificate renewals problematic as it means interruption of service to users unless we change the definition at our IdP at exactly the same time as SP updates their systems. If OpenAM would support multiple KeyDescriptors then things would just continue to work when the certificate gets switched.

      Current Workaround: disable SP certificate verification on the IdP side.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                jonthomas Jonathan Thomas
              • Votes:
                13 Vote for this issue
                Watchers:
                14 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: