Handling of certificate changes - kmd-identity/documentation GitHub Wiki

KMD Identity monitors the metadata endpoint of SAML applications, however this only happens at certain intervals. Currently, every 4 hours.

Therefore, if you are planning to make changes to the certificates used by your application for signing or decryption, you need to take this into consideration or your users will be unable to login for up to 4 hours.

When would you make changes to your certificates?

  • If the certificates are about to expire.
  • If the certificates are about to be revoked by the Certificate Authority (eg. OCES2 certificates).
  • If the private key of the certificate has been compromised.

There are 3 general options:

  • Option 1 - [Trivial] - If being unable to authenticate in your application for a period of time is acceptable (for example, in a test environment), you can choose to update your metadata and wait for KMD Identity to see the changes automatically.
  • Option 2 - [Easy, recommended] - If you want to avoid being unable to authenticate in your application for any period of time (for example, in a production environment), you can Contact KMD Identity and make a request to have your metadata refreshed at a specific agreed upon time. Be sure to include in the request, the entityid of your application and the specific time you want the metadata to be refreshed (re-read) by KMD Identity.
  • Option 3 - [Complex] - Write a SAML service provider that supports multiple certificates to handle a graceful transition from one set of certificates to another. This will in theory enable you to continue signing your SAML requests using the old/current certificate, while also announcing the new/upcoming signing and encryption certificate in your metadata for a period of time, before switching to use it to sign your requests. This service provider should also support decrypting SAML responses that were encrypted using either the old or new certificate while the transition is happening.

We have in our backlog a feature that, once implemented, will enable our service providers to force a refresh of their metadata themselves via UI and API.