0 Replies Latest reply on Apr 10, 2015 3:05 AM by James Bromberger

    Picketlink SAML SP: Supporting remote IDP certificate rollovers

    James Bromberger Newbie



      I'm looking to run Picketlink as an SP (in Wildfly), and can see that I have to add the remote IdP certificate to a JSK and reference that by its' JKS alias in as a ValidatingAlias:


      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert" />

      However, if the remote IDP is rotating their IdP keys (ADFS default is very 365 days for the token signing cert), then in order to have a smooth transition/rollover/refresh, I'll want to grab the updated metadata and cert and have that available in production before the IdP starts USING this new certificate. I could add the new key as a new alias in my jks, but my question is:

      Can I add a second ValidatingAlias for the same key but with a different Value to support both the current, and the new keys, and have either used (so I can later come back and then remove the then-expired original cert). Ie:

      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2014" />

      <ValidatingAlias Key="idp.client.org" Value="client-adfs-cert-2015" />

      Many thanks,