#185 Handle SAML IdP certificate rollover
Opened 3 years ago by nkinder. Modified 2 years ago

We need to ensure IdP certificate rollover can occur in a manner that allows for uninterrupted SP service.

In addition to having a way to easily renew the certificate and apply new metadata in Ipsilon (without a restart ideally), we might need to focus on the SP side in mod_auth_mellon. We need to ensure that a SP can have copies of both the old and new IDP certificate, which would allow the old certificate to be used until it expires. Once the old certificate does expire, the new certificate should be honored automatically. This might already be possible via one of the following settings (though it needs to be tested):

# MellonIdPCAFile is the full path to the certificate of the
# certificate authority. This can be used instead of an
# certificate for the IdP.
# Default: None set.
MellonIdPCAFile /etc/apache2/mellon/ca.pem

This option might allow us to use a real CA certificate, so we don't
have to copy every IdP certificate to the SPs. When we get a new cert
for the IdP, it should just work. Of course we need to allow the
Ipsilon metadata cert to be signed by the IdM CA. We have a ticket for
this already (https://fedorahosted.org/ipsilon/ticket/19).

# MellonIdPMetadataGlob is a glob(3) pattern enabled  alternative
# to MellonIdPMetadataFile. Like MellonIdPMetadataFile it will
# accept an optional validating chain if lasso is recent enough.
# Default: None set.
#MellonIdPMetadataGlob /etc/apache2/mellon/*-metadata.xml

This might allow you to have multiple IdP metadata files for the same
IdP (the one with the old cert, and one with the new cert). This would
need to be tested to make sure it doesn't get hung up by the expired

Fields changed

milestone: => 1.3

Metadata Update from @nkinder:
- Issue set to the milestone: 1.3

2 years ago

Login to comment on this ticket.