Rolling over IdP SAML 2.0 certs

79 views
Skip to first unread message

Patryk Sondej

unread,
Aug 12, 2024, 8:14:19 AM8/12/24
to CAS Community
Is rollover IdP SAML 2.0 certs supported in CAS?
Eg. primary (old) + secondary (new)
Can't find anything in documentation.


Matthew Gordon

unread,
Aug 16, 2024, 4:07:57 PM8/16/24
to CAS Community, Patryk Sondej
Sorry I can't help, but I am also interested in this, if anyone has any ideas?

Thank you,
Matt

Ray Bon

unread,
Aug 25, 2024, 1:11:05 PM8/25/24
to cas-...@apereo.org
Patryk,

If you have a dev environment, you can check this. Maybe cat the old and new keys/certs into idp-signing.{key,crt}

Ray

On Mon, 2024-08-12 at 03:33 -0700, Patryk Sondej wrote:
You don't often get email from bux.p...@gmail.com. Learn why this is important

Matthew Gordon

unread,
Oct 23, 2025, 11:24:04 AM (2 days ago) Oct 23
to CAS Community
Hello,

Did this actually work, or is there a recommended solution?

Thank you,
Matt

Matthew Gordon

unread,
Oct 24, 2025, 10:06:45 AM (yesterday) Oct 24
to CAS Community, Matthew Gordon
There is a per service option that seems to work:

https://apereo.github.io/cas/7.3.x/installation/Configuring-SAML2-DynamicMetadata.html#per-service

Screenshot 2025-10-24 at 07-41-11 CAS - SAML2 Metadata Management.png

The SAML response still appears to have the default IdP cert in it, but the SP needs the updated metadata certificate to function... I put new metadata, cert, and key in the above directory. 

Thank you,
Matt
Reply all
Reply to author
Forward
0 new messages