Shibboleth at NC State » Federation Files » Key Update March 2019

Key Update March 2019

Overview

Our Unity Identity Provider (IdP) running on shib.ncsu.edu will need to be re-keyed before the current signing key expires later in April. We have issued a new signing key to use for the next 10 years. We will add the new key certificate to our published metadata on February 20th in parallel with the existing certificate. We will switch the IdP to start using the new key during our monthly maintenance scheduled for Wednesday, March 13th, at 5:00pm EST.

How does this affect ...

Users logging in with Shibboleth

You don't need to do anything for this change. Your account will not change. You do not need to change any passwords. Beware of phishing attacks that might try to use this event to claim otherwise.

You may see temporary service outages on the evening of March 13th, while a few of our service providers work to re-connect their services with the new key certificate. We expect most SPs will continue to accept logins properly through this change.

Service Providers running Shibboleth SP software

You shouldn't have to do anything for this change. The Shibboleth SP should be configured to get our certificates from the published metadata. It will pre-load the new certificate starting on Feb 20th. When the IdP key is changed on Mar 13th, the software should seamlessly start accepting messages signed with the new key.

Be sure to review the section below on the NCSU Federation Certificate as well.

Non-Shibboleth SPs using our federation metadata

You should check your service on Feb 20th and Mar 13th to make sure it works correctly through the key change. We will publish the IdP metadata with two certificates starting on Feb 20th. Some providers are known to have problems accepting two certificates. Those that default to one cert or the other will have a problem on one of our change days.

For example, the Library's ezProxy is reported to only accept the first certificate when more than one is found. In their case, the SP should keep working through the Feb 20th change. They will need to refresh the metadata on March 13th when we change to the new key and put the new certificate as the only entry in the metadata.

SAML SPs that have downloaded our certificate or metadata one time

You will need to update your downloaded certificate or metadata at the same time that we change the key, on March 13th at 5:00pm or shortly thereafter. Once we start using the new key, your site will be unable to accept logins from Shibboleth until it is setup to accept the new certificate.

If you downloaded our metadata for the IdP, you may be able to load the transition metadata with both certificates in it, to avoid having to coordinate your change with our key change. It will depend on how your software handles the two certificates. Otherwise, you should update your SP with the new metadata listed below on March 13th after 5:00pm.

InCommon Federation members should use these versions, which have the correct entityID for our IdP in InCommon. The certs are the same.

If you downloaded our signing certificate PEM file, you will need to change that to the new certificate as soon after 5:00pm on March 13th as you can to minimize the loss of service to your SP.

To confirm that you have the correct certificate file, you can use the openssl command to inspect the file:

openssl x509 -in 2019/shib-idp.crt -text

Data:
    Version: 3 (0x2)
    Serial Number: 15698253166706780659 (0xd9db66150bb569f3)
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=shib.ncsu.edu
    Validity
        Not Before: Feb  4 15:43:18 2019 GMT
        Not After : Apr 22 15:43:18 2029 GMT
    Subject: CN=shib.ncsu.edu
    ...
    X509v3 extensions:
        X509v3 Subject Key Identifier: 
            CC:80:B6:8D:01:BB:02:A4:F4:06:20:19:D3:9B:D5:92:7D:FD:63:D7

Testing new keys in advance

We have instructions on how to test SPs for the key update by setting up a browser to use a test server as shib.ncsu.edu.

NCSU Federation Certificate

The certificate file for the key that we use to sign the NCSU Federation metadata will also be expiring in April of this year. We have re-issued that certificate using the same key, to be valid for 10 years as well. If your SP is downloading the NCSU Federation metadata and checking the signature using the ncsu_federation.pem file, you should update that file on your server any time between now and April 23rd. Our testing of the Shibboleth SP software shows that it doesn't actually rely on the dates in that PEM file, so you should not have trouble with your service if it expires without being updated.

To confirm that you have the correct certificate file, you can use the openssl command to inspect the file:

openssl x509 -in ncsu_federation.pem -text

Data:
    Version: 3 (0x2)
    Serial Number: 14217811496832899738 (0xc54fd03a28309a9a)
Signature Algorithm: sha256WithRSAEncryption
    Issuer: CN=shib.ncsu.edu
    Validity
        Not Before: Feb  5 17:31:20 2019 GMT
        Not After : Apr 23 17:31:20 2029 GMT
    Subject: CN=shib.ncsu.edu
    ...
    X509v3 extensions:
        X509v3 Subject Alternative Name: 
            DNS:shib.ncsu.edu, URI:https://shib.ncsu.edu/federation
        X509v3 Subject Key Identifier: 
            C5:BD:65:8A:47:67:34:D9:2D:DD:D6:12:D6:80:E2:84:90:B1:3F:A3

Affiliates and test server keys

We have a much smaller number of SPs using the Affiliates login service for NC State Parents/Guests. The key for that service is not due to be changed at this time, but we will be re-issuing the certificate for the key so it will not expire for 10 more years. That change was already made as part of the Feb 13th monthly maintenance update.

Need Help?

We will try to contact the registered SPs that we know have used a one-time download of our metadata or certificate files when their service was setup. Those messages should be sent prior to the Feb 20th change to the transition metadata. If you are not sure which category your SP falls into, send us an email at shibboleth-help@ncsu.edu and be sure to include:

  1. the URL for your service, and
  2. the EntityID for your service provider.