Menu
▾
▴
Re: [Unity-idm-discuss] New certificates from IdP are not taken in place by regular metadata update
|
From: Krzysztof B. <kb...@un...> - 2020-09-21 07:05:09
|
Hi Sander, W dniu 21.09.2020 o 07:22, Sander Apweiler pisze: > Good morning Krzysztof, > I own you still an answer on your last question. > > On Wed, 2020-09-16 at 12:35 +0200, Krzysztof Benedyczak wrote: >> Hello Sander, >> >> W dniu 15.09.2020 o 09:55, Sander Apweiler pisze: >>> Hello Krzysztof, >>> I have some further information about this issue. The KIT IdP, who >>> renews its certificate, offers at the moment two signing >>> certificates >>> in the federation metadata. The old one and the new one. This is a >>> common way for the certificate renewal [1]. It seems that unity >>> only >>> supports one of them and this creates the mismatch. Unity should >>> support all certificates which are provided via the IdP metadata. >>> >>> This rollover procedure should avoid outages for the users during >>> the >>> update procedure. Especially when you use federations it took time >>> until the information reaches the other end of the chain. In best >>> case >>> only a few minutes, when the information reaches the next level >>> before >>> the level above fetches the information. In bad case it takes >>> several >>> days, if the new information only fetched once per day. >> We have an old ticket (2017 (!)) about the certificates not being >> updated after metadata change. The ticket has a note that I was >> unable >> to reproduce it despite of several tries. >> >> The situation with multiple certificates of an IdP should work - it >> is >> supported. I.e. if IdP metadata advertises more then one >> certificate, >> then Unity should accept all of them. This feature is I think less >> tested so I can suspect that there may some bug in it. >> >> I can add more detailed logging what I'll do for the next revision - >> it >> should help to track down the problem. We have also pending ticket to >> be >> able to see in details the runtime (effective) list of trusted IdPs >> for >> a SAML authenticator - but that's a bit bigger work, not planned in >> near >> term. >> >>> Is it possible that unity supports this common rollover mechanism >>> for >>> its own certificates in future? >> Yes, why not. We can add a new option to IdP configuration, "former >> credential" which would be used for metadata only. Sounds rather >> easy. >> Do you consider this also for SP (i.e. Unity SAML authenticator)? > Yes it would be also effect the SP. I guess, if unity is used as Proxy, > in most cases the same certificate is used for IdP and SP part. And you > need to do the rollover in the same way for both. That was my assumption too, agreed. One extra note: this task is more involving than my first thought was: we also need to support decryption, and we need to be able to decrypt with either of the certificates. Cheers, Krzysztof |
