Menu
▾
▴
Re: [Unity-idm-discuss] New certificates from IdP are not taken in place by regular metadata update
|
From: Sander A. <sa....@fz...> - 2020-09-21 05:22:51
|
Good morning Krzysztof, I own you still an answer on your last question. On Wed, 2020-09-16 at 12:35 +0200, Krzysztof Benedyczak wrote: > Hello Sander, > > W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: > > Hello Krzysztof, > > I have some further information about this issue. The KIT IdP, who > > renews its certificate, offers at the moment two signing > > certificates > > in the federation metadata. The old one and the new one. This is a > > common way for the certificate renewal [1]. It seems that unity > > only > > supports one of them and this creates the mismatch. Unity should > > support all certificates which are provided via the IdP metadata. > > > > This rollover procedure should avoid outages for the users during > > the > > update procedure. Especially when you use federations it took time > > until the information reaches the other end of the chain. In best > > case > > only a few minutes, when the information reaches the next level > > before > > the level above fetches the information. In bad case it takes > > several > > days, if the new information only fetched once per day. > > We have an old ticket (2017 (!)) about the certificates not being > updated after metadata change. The ticket has a note that I was > unable > to reproduce it despite of several tries. > > The situation with multiple certificates of an IdP should work - it > is > supported. I.e. if IdP metadata advertises more then one > certificate, > then Unity should accept all of them. This feature is I think less > tested so I can suspect that there may some bug in it. > > I can add more detailed logging what I'll do for the next revision - > it > should help to track down the problem. We have also pending ticket to > be > able to see in details the runtime (effective) list of trusted IdPs > for > a SAML authenticator - but that's a bit bigger work, not planned in > near > term. > > > Is it possible that unity supports this common rollover mechanism > > for > > its own certificates in future? > Yes, why not. We can add a new option to IdP configuration, "former > credential" which would be used for metadata only. Sounds rather > easy. > Do you consider this also for SP (i.e. Unity SAML authenticator)? Yes it would be also effect the SP. I guess, if unity is used as Proxy, in most cases the same certificate is used for IdP and SP part. And you need to do the rollover in the same way for both. Cheers, Sander > > Best, > Krzysztof > -- Federated Systems and Data Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ---------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Volker Rieke Geschaeftsfuehrung: Prof. Dr.-Ing. Wolfgang Marquardt (Vorsitzender), Karsten Beneke (stellv. Vorsitzender), Prof. Dr.-Ing. Harald Bolt ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
