Menu
▾
▴
Re: [Unity-idm-discuss] New certificates from IdP are not taken in place by regular metadata update
|
From: Krzysztof B. <kb...@un...> - 2020-09-16 10:36:14
|
Hello Sander, W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: > Hello Krzysztof, > I have some further information about this issue. The KIT IdP, who > renews its certificate, offers at the moment two signing certificates > in the federation metadata. The old one and the new one. This is a > common way for the certificate renewal [1]. It seems that unity only > supports one of them and this creates the mismatch. Unity should > support all certificates which are provided via the IdP metadata. > > This rollover procedure should avoid outages for the users during the > update procedure. Especially when you use federations it took time > until the information reaches the other end of the chain. In best case > only a few minutes, when the information reaches the next level before > the level above fetches the information. In bad case it takes several > days, if the new information only fetched once per day. We have an old ticket (2017 (!)) about the certificates not being updated after metadata change. The ticket has a note that I was unable to reproduce it despite of several tries. The situation with multiple certificates of an IdP should work - it is supported. I.e. if IdP metadata advertises more then one certificate, then Unity should accept all of them. This feature is I think less tested so I can suspect that there may some bug in it. I can add more detailed logging what I'll do for the next revision - it should help to track down the problem. We have also pending ticket to be able to see in details the runtime (effective) list of trusted IdPs for a SAML authenticator - but that's a bit bigger work, not planned in near term. > Is it possible that unity supports this common rollover mechanism for > its own certificates in future? Yes, why not. We can add a new option to IdP configuration, "former credential" which would be used for metadata only. Sounds rather easy. Do you consider this also for SP (i.e. Unity SAML authenticator)? Best, Krzysztof |
