7. Key Rollover

The use of long-lived, self-signed certificates in metadata is strongly recommended. According to the 7. Key Rollover#SAML2int and 7. Key Rollover#MetaIOP profile, the certificate is only a public key container and no method of validating the certificate information may be used.


1. Create a new key-pair that is compliant with the federation

2. Create a copy of the metadata already published in the federation and add a new KeyDescriptor element containing the public key certificate. The metadata should now contain the old and the new KeyDescriptor element. If there is a KeyDescriptor for signing and one for encrypting do this for both

3. Uploaded the metadata to the fedration. Read more about how to publish metadata on the federation website

4. Wait for the new metadata to propagate.

5. Configure the software to use the new private key

6. Remove the old KeyDescriptor element from the metadata and upload it to the federation.


Example metadata with old and new public key certificate.

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="http://myhost.example.com/simplesaml/saml2/idp/metadata.php" ID="pfx797787f7-e5bd-acc6-89ef-4d120e679a48"><ds:Signature>
  <ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
    <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
  <ds:Reference URI="#pfx797787f7-e5bd-acc6-89ef-4d120e679a48"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>AzMFoTwyoKc0YHcPAaYl5jPIclE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Srzu2vX2+FC6tTNH+vImIdvfo8fXuWbcF4vkL3NdiTB/ZU3HTmjKg3KkNLKxw/DbGznNdnmi16ImWOqtETSbYDGPUwhYM13PvQ+OIfogmurj5sNE57pa3sg/MEOJB80A7axXCUKsOV4CqLTDZNh/d7imiS2G4VB7Kmo9o0y1ZQtkV6U5LWO87Mw9rIj+D16KiB2HVIqq/cxOJBa4A7BoVuqJi3Qsc7rDjZK8b6e/EhP1QKgfAPwmTIp7K88mfUlD3/fKo9EP5haLuXxjLLKySIwgqR56sLEwHttHMZMPg83zeOLgaeT8+qVA0NeplsM+2c5y2/OMk8vM9Q6ix7eOfg==</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature>
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
   <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDszCCApugAwIBAgIJAP7RfQ50pS1JMA0GCSqGSIb3DQEBCwUAMHAxCzAJBgNVBAYTAlNFMRIwEAYDVQQIDAlTdG9ja2hvbG0xEjAQBgNVBAcMCVN0b2NraG9sbTEMMAoGA1UECgwDSUlTMQwwCgYDVQQLDANGZWQxHTAbBgNVBAMMFHNhbWxpZHAubXlkb21haW4ubG9jMB4XDTE1MDgwNDExNDMzNloXDTIwMDgwMzExNDMzNlowcDELMAkGA1UEBhMCU0UxEjAQBgNVBAgMCVN0b2NraG9sbTESMBAGA1UEBwwJU3RvY2tob2xtMQwwCgYDVQQKDANJSVMxDDAKBgNVBAsMA0ZlZDEdMBsGA1UEAwwUc2FtbGlkcC5teWRvbWFpbi5sb2MwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT1HIQFaO7i5Zxt/Nf6kyHzy7gDXXaxLO++E7cjbMnaWUg/5dsWU0oBLpme+1m+7DybQQsIg9+yjqkJkS22z/2go3MB9PBnxmiaplhAYjWN7oBGpo1R1dwofYQZnLo/iBH0rT+odzv8RvxkhLtGASpNR/b5MIwrnIpWLXgcSybAHNQPi/9peW5eNIq26AHF7QwxgUOHnSazNPCWkSjTye00uFHx8xHYQ7Fjq2pifzhTrDABZgtc3ws/bxOwxz2XnbLWAYhivUCSXCtNErLO68yO0X2NILtUJpJJ6JD+yRFjjBp6KFFwcsEIOHnJ7TW+jk+gAYFrRLRZb9Xp/yjO+JFAgMBAAGjUDBOMB0GA1UdDgQWBBTDeQkkzM7pXo6WQmW74xYTvPf5GDAfBgNVHSMEGDAWgBTDeQkkzM7pXo6WQmW74xYTvPf5GDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBawGnUJabQ/V9UG6/+tCZwKCge4qZKVQ67feu4NAIiQKrcnuuQb0U0g/CrwrJ2TTwHzRVJscf5KW9bWhK4Xuwm2Pq+ySTExHputJW8VaAYZ5J5G7K4M7H4zjCRJwdDSSNI3Jv4+Bs/sOi5jcLQ7wk0oCjQkiARFbB6On22WeAun618AHBTVgn0TsP2JasJyJJomrP6IqVF2Ox6/NB0GEr1gRAv5Apzvxvgra72JN9DcPjgsceJrRpTa8BBAglj87SFPq9khCrv1mnu2PQU0KM7aw35IjvgOdAXnBVmMX+S1UvB6UkT6L2T8PbjAR4Y3k8B4lbJxPVfk807TmA07bYF</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
   <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIDrzCCApegAwIBAgIJAOoNi9OD7ABuMA0GCSqGSIb3DQEBCwUAMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTAeFw0xNzEwMTgxMzE1NDlaFw0yNzEwMTgxMzE1NDlaMG4xCzAJBgNVBAYTAlNFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0wCwYDVQQHDARjaXR5MRQwEgYDVQQKDAtleGFtcGxlIG9yZzETMBEGA1UECwwKZXhhbXBsZSBvdTEQMA4GA1UEAwwHTXkgTmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK59vVP9/nHcDtvFLKeRO6VxcYSar8vmY5fM4OkeptnTooP9YFbeX/iFP+J9RWnnjwPK8egqYNjvRIA6B/+GZkHszK5Mm7SfTG9ePjtUZCBuFERgbCS2xOXoZIUnt4Uj4kSoJx4pLxQTLnxKW36bqPQLFbM1BjfqwrlYhynNSZEHBH15GCKCAzp1mTFOtCuAs7qZy17+Xs/qiFHWXGLqfq2/XWSGS9mC49BMZueVcFRher2bFD0E/SXa7lkRyuOkmXK7TfAa+r8kEsQrqTaCI6BFPhel1TXBtjQVvVSFvK2d3OwdRS2Bt9OkdbuAmy1OCkxH+QiIxNg3Nhhg4Hg0t8ECAwEAAaNQME4wHQYDVR0OBBYEFHDnZFLGR3G518zCMxAbsbSD079FMB8GA1UdIwQYMBaAFHDnZFLGR3G518zCMxAbsbSD079FMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAGPDJYjbGA58g8fMOjUzmNBNOjRxfl4D47Su0AMd6BNmycs254FdayCyHsxAcZn5w6vKt/of3sX7qS1VYcrl0HIP9f1aNGHMsphTR4vozhrvAD4kXJXP1orBXR9ViU+MfXK4vBcCH8C9tS3yJqUUpwuTrhOK0FR5AsYoQJ7rKiN5lwAJaQL7IwNasJgaSsgEZFl3L1jAENn9Ur1+JHLQGUY/39aqah8IzasN5U32PKIIWvBMhLuV78Bd1Wyh6w0zf6TyKN90AKj1NBgxJFz0yfZ0dOSthHx6hWRcTrP31//+YR8YYXmuD86C2TCeZutB7ig/lsqJ8z4Pv/lccr45+N0=</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://myhost.example.com/simplesaml/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:Organization>
    <md:OrganizationName xml:lang="en">Example organization</md:OrganizationName>
    <md:OrganizationName xml:lang="sv">Exempel organisation</md:OrganizationName>
    <md:OrganizationDisplayName xml:lang="en">Example organization</md:OrganizationDisplayName>
    <md:OrganizationDisplayName xml:lang="sv">Exempel organisation</md:OrganizationDisplayName>
    <md:OrganizationURL xml:lang="en">www.example.com</md:OrganizationURL>
    <md:OrganizationURL xml:lang="sv">www.example.com</md:OrganizationURL>
  </md:Organization>
  <md:ContactPerson contactType="technical" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="technical" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="sv">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
  <md:ContactPerson contactType="support" xml:lang="en">
    <md:GivenName>Kalle</md:GivenName>
    <md:SurName>Andersson</md:SurName>
    <md:EmailAddress>kalle.andersson@example.com</md:EmailAddress>
    <md:TelephoneNumber>+468123456</md:TelephoneNumber>
  </md:ContactPerson>
</md:EntityDescriptor>

SAML2int

http://saml2int.org/profile/current/
5 Metadata and Trust Management
Identity Providers and Service Providers MUST provide a SAML 2.0 Metadata document representing its entity. How metadata is exchanged is out of scope of this specification. Provided metadata MUST conform to the SAML V2.0 Metadata Interoperability Profile Version 1.0 [MetaIOP].

MetaIOP

http://docs.oasis-open.org/security/saml/Post2.0/sstc-metadata-iop.pdf
2.5.1 Key Representation
In the case of an X.509 certificate, there are no requirements as to the content of the certificate apart from the requirement that it contain the appropriate public key. Specifically, the certificate may be expired, not yet valid, carry critical or non-critical extensions or usage flags, and contain any subject or issuer. The use of the certificate structure is merely a matter of notational convenience to communicate a key and has no semantics in this profile apart from that. However, it is RECOMMENDED that certificates be unexpired.

2.6.1 Key Processing
Each key expressed by a <md:KeyDescriptor> element within a particular role MUST be treated as valid when processing messages or assertions in the context of that role. Specifically, any signatures or transport communications (e.g., TLS/SSL sessions) verifiable with a signing key MUST be treated as valid, and any encryption keys found MAY be used to encrypt messages or assertions (or encryption keys) intended for the containing entity.

Subsequent to accepting a metadata instance, a consumer MUST NOT apply additional criteria of any kind on the acceptance, or validity, of the keys found within it or their use at runtime. Specifically, consumers SHALL NOT apply any online or offline techniques including, but not limited to, X.509 path validation or revocation lists, OCSP responders, etc. The following key representations within a <ds:KeyInfo> element MUST be supported:
• <ds:KeyValue>
• <ds:X509Certificate> (child element of <ds:X509Data>)
In the case of the former, the key itself is explicitly identified. In the case of the latter, a metadata consumer MUST extract the public key found in the certificate and MUST NOT honor, interpret, or make use of any of the information found in the certificate other than as an aid in identifying the key used (based, for example, on information found at runtime in an XML digital signature's <ds:KeyInfo> element or the certificate presented by a transport peer).

Upon identifying a candidate key, a signature can be directly evaluated based on whether it is verifiable with the key. Authentication of a transport peer can be evaluated by extracting the key resented by the peer (often in the form of an X.509 certificate) and comparing it by value to the candidate key. This process has the effect of decoupling the certificates that may be present in metadata from those presented at runtime, provided that the public keys are in fact the same.