Key rollover for SP if external IdP is changing certificates

[Sebastian Bölling]

Hi,

I have an application which is integrating SimpleSAMLphp as an Service Provider. I have configured an external IdP (not based on on SimpleSAMLphp) in the file metadata/saml20-idp-remote.php. The authentication against the IdP is working fine.

Now my question: My IdP wants to change his certificate, which is used to signing assertions, frequently. What is the preferred method to change the certificate in my metadata/saml20-idp-remote.php without downtime for users who want to authenticate and use my application?

My configuration of metadata/saml20-idp-remote.php is (simplyfied):

<?php 

      $metadata['urn:idp:iam] = [ 

            'SingleSignOnService' => 'https://.../SSOService', 

            'SingleLogoutService' => 'https://.../SingleLogoutService',

            'certificate' => '/opt/certs/idpcert.pem', 

];

My configuration of config/authsources.php is (simplyfied):

<?php

$config =

    [

// This is a authentication source which handles admin authentication.

    'admin' => [

        // The default is to use core:AdminPassword, but it can be replaced with

        // any authentication source.

        'core:AdminPassword',

    ],

        /* This is the name of this authentication source, and will be used to access it later. */

        'default-sp' =>

            [

                'saml:SP',

                'entityID' => 'https://entityid',

                'idp' => 'urn:idp:iam'

            ]

    ];

?>

I saw the key rollover documentation under https://simplesamlphp.org/docs/stable/saml:keyrollover which is using old and new certificates in parallel - but this seems only to be working for a hosted SP and not for remote IdP as I have to use.

Thanks in advance

Regards

Sebastian

[pat...@cirrusidentity.com]

Hi Sebastian,

Does the IdP publish its SAML metadata? If so you can use this module https://github.com/simplesamlphp/simplesamlphp-module-metarefresh/blob/master/docs/simplesamlphp-automated_metadata.md to automatically retrieve it. This way the IdP can make changes, add certificates, etc without you needing to do anything.

- Patrick

[Peter Schober]

* Sebastian Bölling <sebastian...@gmail.com> [2021-09-09 14:50]:

> My IdP wants to change his certificate, which is used to signing
> assertions, frequently. What is the preferred method to change the
> certificate in my metadata/saml20-idp-remote.php without downtime
> for users who want to authenticate and use my application?

Since you're asking about the preferred method: There is definitively
one but that requires the IDP to do a proper key rollover, as Patrick
said.

That means first adding the new certificate from their new signing key
pair to their metadata (or telling you to do the same, manually),
waiting for this to propagate (or been done manually) at all the SPs
using their IDP, and then switching over to signing with the new key
(matching the newly distributed certificate) at their own leasure --
without requiring close synchronisation with any of the SPs.

After a while the IDP can remove the old cert from its metadata (or
tell all SPs to remove the old cert from the IDP metadata manually) to
clean up and finalise the key rollover.

If you're looking for more info on that try a web search for "key
rollover" and possibly the terms "InCommon" or "SWITCH". You should
find instructions and conceptual descriptions, even if those may be
talking about different SAML implemenatations ("Shibboleth").

-peter