...
| Info | ||
|---|---|---|
| ||
The new decryption key should be listed first in the SP implementation. This is because the new key is the only encryption key listed in SP metadata. By listing the new key first in the configuration, fewer failed decryption attempts will occur. |
| Div | ||
|---|---|---|
| ||
 |
At step 2, log into the Federation Manager and bind a new certificate to the <md:SPSSODescriptor> element by adding a new <md:KeyDescriptor> element with no use XML attribute. That is, bind the new key to metadata as a "Signing and Encryption" key. Simultaneously change the old <md:KeyDescriptor> element to an <md:KeyDescriptor use="signing"> element, that is, a "Signing Only" key. (Click the image on the right to see how this is done in the Federation Manager.) After doing so, your SP's metadata will contain two (2) key descriptors, one of which is new.
...