Carnegie Mellon University Website Home Page
 

Service Provider Key Rollover

IMPORTANT! If you have any pre-existing Bilateral Relationships with any other Identity Providers outside of InCommon, you must inform them that you plan on completing a Key Rollover. If you complete this process prior to informing the other parties, you will receive significant SAML errors that will impact your service and your users. Bilateral Relationships are your responsibility - only the Service Provider can properly manage a Bilateral Relationship.


For more information on Certificate Migration (Key Rollover), review the Certificate Migration page.

  1. Complete Step 4 - Create/Rollover Certificate and Key Files.
  2. Review the Key Rollover section and complete all applicable steps using the files from step 1.
  3. Restart the web server and SAML software for changes to take effect.
  4. Do one of the following:
    • Delegated Administrators: log in to the Federation Manager and update your SPs directly.
    • Everyone else: Submit your new certificate to the Shibboleth Team with the following details:
    Mail to: shibboleth-team@andrew.cmu.edu
    Subject: Certificate Rollover Request
    Body:

    Include the following in the message body:

    1. SP Host Name -This name should be the fully qualified DNS name that your audience will use to access your web service.
    2. Copy contents of the sp-cert.pem file into the body of the message.

    Note: You will be contacted once the certificate rollover request is complete.


IMPORTANT! Completion of Process

Delegated Administrators
In 3-4 business days, to complete the Key Rollover process complete the following:

  1. Remove your old key from InCommon.
  2. Remove your old key from the configuration on your local SP configuration.
  3. Restart the web server and SAML software for changes to take effect.
Everyone Else
  1. The Shibboleth Team will notify you when your old key has been removed from InCommon within 3 - 4 business days.
    Note: Do not proceed until you are notified.
  2. Remove the old key from your local SP configuration.
  3. Restart the web server and SAML software for changes to take effect.


Last Updated: 04/21/2014