...
- Configure the SP software as follows:
- Continue to use the old key as a signing key, an TLS key, and/or a decryption key
- In addition, use the new key as a decryption key only
- Update the SP metadata as follows:
- Add a new
<md:KeyDescriptor>
element (with nouse
XML attribute) - Change the old
<md:KeyDescriptor>
element to an<md:KeyDescriptor use="signing">
element
- Add a new
- Wait for the newly updated metadata to propagate throughout the Federation. Two weeks is safe, although longer times may be needed, depending on the operational practices of your partners.
- Configure the SP software as follows:
- Use the new key as a signing key, an TLS key, and/or a decryption key
- Discontinue use of the old key
- Remove the old
<md:KeyDescriptor use="signing">
element from SP metadata.
...