Key rollover and SingleSignOnService Endpoint

10 views
Skip to first unread message

Domingos Gonçalves

unread,
Sep 3, 2020, 7:07:05 AM9/3/20
to OpenConext Community

Hello,

 

We have a new certificate on engine to perform a key rollover and it's working fine for the IDPs.


But for the SPs we are having some issues.


To add the key rollover we add the new certificate on /etc/openconext/engineblock.ini like bellow


; Additional keys for easy key rollover

encryption
.keys.20200211.privateFile = /etc/openconext/engineblock.20200211.key
encryption
.keys.20200211.publicFile = /etc/openconext/engineblock.20200211.crt



After refreshing engine cache we can see the new links for the new key:


2020_09_03_12_03_33_.png


 

In our case the link (https://engine.qua.rctsaai.pt/authentication/idp/metadata/key:20200211) with the new key has SingleSignOnService endpoint is https://engine.qua.rctsaai.pt/authentication/idp/single-sign-on 


The SingleSignOnService endpoint shouldn't be something like https://engine.qua.rctsaai.pt/authentication/idp/single-sign-on/key:20200211?



Regards,


Domingos


Thijs Kinkhorst

unread,
Sep 4, 2020, 10:05:45 AM9/4/20
to openc...@googlegroups.com
Hi Domingos,

Op 03-09-2020 om 13:07 schreef Domingos Gonçalves:
> with the new key has *SingleSignOnService* endpoint
> is *https://engine.qua.rctsaai.pt/authentication/idp/single-sign-on* 
>
> The *SingleSignOnService* endpoint shouldn't be something
> like *https://engine.qua.rctsaai.pt/authentication/idp/single-sign-on/key:20200211?*

Yes. It's a bug I'm afraid. It seems to have been introduced in EB 6.1
when the metadata generation was refactored. I will ask our developers to
look into it.


Cheers,
Thijs

Michiel Kodde

unread,
Sep 7, 2020, 6:02:11 AM9/7/20
to openc...@googlegroups.com
Hi Domingos,

Thanks for reporting this issue! I've opened a PR that should take care of this bug.


The PR should land in a release (6.3.3) sometime later this week.

With kind regards
Michiel

Domingos Gonçalves

unread,
Sep 7, 2020, 8:49:33 AM9/7/20
to OpenConext Community
Hi Michiel,

Thanks for you fast reaction.

I already saw the new release available.

Thanks you

Domingos Gonçalves

Michiel Kodde

unread,
Sep 7, 2020, 9:10:25 AM9/7/20
to openc...@googlegroups.com
Hello Domingos,


The IdP metadata should now show the SSO location including the rollover key.

Hope this helps!
Michiel
Reply all
Reply to author
Forward
0 new messages