[Openid-specs-fastfed] SAML certificate rotation

McAdams, Darin darinm at amazon.com
Mon Jun 14 19:02:02 UTC 2021


#1. If a new certificate is inaccessible for any reason, it allows pre-notification to admins before user impact occurs. Although when push comes to shove on delivery timelines, it wouldn’t be unheard of to launch with #2 and then iteratively add #1.

From: Openid-specs-fastfed <openid-specs-fastfed-bounces at lists.openid.net> on behalf of Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Reply-To: Tim Cappalli <Tim.Cappalli at microsoft.com>
Date: Wednesday, June 9, 2021 at 12:01 PM
To: Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Cc: Erin Greenlee <Erin.Greenlee at microsoft.com>
Subject: [EXTERNAL] [Openid-specs-fastfed] SAML certificate rotation


CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.


Hi all,

In the Enterprise SAML Profile for FastFed spec, the certificate rotation options are specified as:


  1.  periodic poll (the application provider (SAML SP) periodically polls the IdP’s metadata doc and looks for changes)
  2.  fail then poll (if validation of a SAML assertion’s signature fails, the application provider (SAML SP) reaches out to the SAML metadata endpoint and looks for changes, then revaluates the signature)

For those who are planning their implementation (or have one already), which method are you planning to use and why?

Thanks for the feedback!

tim

 Tim Cappalli |  @timcappalli<https://www.twitter.com/timcappalli>
[Microsoft logo]


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20210614/5ea31813/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.gif
Type: image/gif
Size: 44335 bytes
Desc: image001.gif
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20210614/5ea31813/attachment-0001.gif>


More information about the Openid-specs-fastfed mailing list