Menu
▾
▴
Re: [Unity-idm-discuss] New certificates from IdP are not taken in place by regular metadata update
|
From: Sander A. <sa....@fz...> - 2020-09-15 07:56:19
|
Hello Krzysztof, I have some further information about this issue. The KIT IdP, who renews its certificate, offers at the moment two signing certificates in the federation metadata. The old one and the new one. This is a common way for the certificate renewal [1]. It seems that unity only supports one of them and this creates the mismatch. Unity should support all certificates which are provided via the IdP metadata. This rollover procedure should avoid outages for the users during the update procedure. Especially when you use federations it took time until the information reaches the other end of the chain. In best case only a few minutes, when the information reaches the next level before the level above fetches the information. In bad case it takes several days, if the new information only fetched once per day. Is it possible that unity supports this common rollover mechanism for its own certificates in future? Cheers, Sander [1]: https://www.switch.ch/aai/guides/sp/certificate-rollover/ On Mon, 2020-09-14 at 07:35 +0200, Sander Apweiler wrote: > Hello Krzysztof, > I encountered an old problem, which is still present in unity. If an > IdP updated its certificate and provides it within the federation > metadata, like eduGAIN, unity does not update the used certificate by > the regular metadata update (once per hour). After the IdP changes > its > certificate unity just give the attached error. > > Last metadata update before the error: > 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding > 2020-09-11T09:40:46,282 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding > 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect binding > 2020-09-11T09:41:37,769 [pool-2-thread-2] DEBUG > unity.server.saml.MetaToSPConfigConverter: Added a trusted IdP loaded > from SAML metadata: https://idp.scc.kit.edu/idp/shibboleth with > urn:oasis:names:tc:SAML:2.0:bindings:SOAP binding > > Using federations like DFN or eduGAIN makes it impossible to know > when > a certificate is updated. > > Cheers, > Sander -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
