On 9/23/16 11:53 AM, John Dennis wrote:
On 09/13/2016 09:29 AM, Stian Thorgersen wrote:
> To be able to gracefully rotate the realm keys periodically a realm
> needs to have more than one keypair. One keypair that is active and will
> be used to issue new cookies and tokens. Also, one or more keypairs that
> are inactive that can be used to verify old cookies and tokens.
> This is only for login cookie and OIDC protocol. Is it even necessary to
> have support for multiple certificates for SAML? SAML doesn't have a
> token introspection or refresh of the assertions right, so not sure it's
> needed.
SAML also needs multiple keys during the rotation period. Off the top of
my head I do not recall if the realm key is used for signing or if an
independent key is generated. Currently Keycloak does not support SAML
encryption but when it does the same will apply to encryption keys as
would currently apply to signing keys.
We support encrypting the assertion.
Bill