...
| Info | ||
|---|---|---|
| ||
In addition to message-level signing and encryption, X.509 certificates in metadata are used for TLS back-channel SOAP exchanges, typically on a nonstandard port such as 8443. These certificates are not the same as and have nothing to do with TLS server certificates used for browser-facing transactions over port 443. The latter type of TLS certificates are not contained in metadata and are not addressed here. |
Terminology
Definition. A role descriptor is a metadata element whose type is based on the SAML md:RoleDescriptorType type.
...
To avoid complications with non-conforming IdPs, it is further RECOMMENDED that there be exactly one encryption key in SP metadata at all times. To facilitate this practice, the administrative interface permits an existing certificate in SP metadata to be modified such that the parent key descriptor has an use="signing" XML attribute if and only if there is another key descriptor with no use XML attribute. See the SP Certificate Migration topic for details.