Changes between Version 1 and Version 2 of Ticket #807, comment 5


Ignore:
Timestamp:
10/19/15 10:51:41 (9 years ago)
Author:
Sander Maijers
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #807, comment 5

    v1 v2  
    88
    99> Only thing that should happen if the expired cert is in the metadata as active one after 24th is that we'll get emails; will all the users still be able to log in?
    10 First of all, you will probably not get such e-mails if you ''also'' have a valid/unexpired certificate in your metadata. Your users will be able to log in using IdPs that know the same key of the pair that your SP is configured to use. So if you have at least the new certificate both at the identity federations (we have) and at your SP at the time the old one has expired, then it works. See: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials
     10First of all, you will probably not get such e-mails if you ''also'' have a valid/unexpired certificate in your metadata. Your users will be able to log in using IdPs that know the public key of at least one key pair that your SP is configured to use. So if you have at least the new certificate both at the identity federations (we have) and at your SP at the time the old one has expired, then it works. See: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMultipleCredentials
    1111
    1212Perhaps some overeager identity federation will remove your SAML metadata because of the expired certificate, then of course everything still breaks down. But I've never seen examples of that, in fact I've seen many examples of long-expired certificates being in the SAML metadata batches of various identity federations. So I expect no problems with logging in, though we should of course do everything to avoid such a situation.