0 Replies Latest reply on Apr 10, 2015 3:05 AM by jbromberger

    Picketlink SAML SP: Supporting remote IDP certificate rollovers

    jbromberger
    jbromberger Apr 10, 2015 3:05 AM

      Hello

       

      I'm looking to run Picketlink as an SP (in Wildfly), and can see that I have to add the remote IdP certificate to a JSK and reference that by its' JKS alias in as a ValidatingAlias:

       

      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert" />


      However, if the remote IDP is rotating their IdP keys (ADFS default is very 365 days for the token signing cert), then in order to have a smooth transition/rollover/refresh, I'll want to grab the updated metadata and cert and have that available in production before the IdP starts USING this new certificate. I could add the new key as a new alias in my jks, but my question is:


      Can I add a second ValidatingAlias for the same key but with a different Value to support both the current, and the new keys, and have either used (so I can later come back and then remove the then-expired original cert). Ie:


      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2014" />

      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2015" />



      Many thanks,

        James