For SAML communication between Service Provider (SP) and Identity Provider (IdP), certificates are used on both sides to sign and encrypt data transmissions. If one of the parties no longer knows the corresponding public certificate of the communication partner, e.g. as a result of an exchange of the private key, a malfunction occurs. This FAQ serves to prevent such cases and presents options for Single Sign On (SSO) operation.
 

Recommended option

For transparent and trouble-free SSO operation, membership in a federation is recommended for all participating parties (SP and IdP). The Shibboleth IdP of TU Dresden is therefore a member of the DFN AAI Federation (https://doku.tid.dfn.de/de:aai:about). The DFN AAI Federation ensures the secure provision of metadata [1], which also includes the public certificates and which can be obtained by any party. Every SP is advised to obtain the IdP metadata [2] regularly via an automated process.
The old and new certificates are offered in parallel for a period of time so that no disruption occurs when a certificate is changed.
 

Alternative option

If you do not have the option of regularly obtaining the metadata of the DFN AAI Federation automatically, e.g. because your service does not have access to the outside world or the SP application does not allow it, you must provide your SP with the IdP metadata manually. You can obtain the metadata of the IdP of TU Dresden as follows:

• From the IdP of TU Dresden itself: https://idp.tu-dresden.de/idp/shibboleth
• Via the federation: https://met.refeds.org/met/entity/https://idp.tu-dresden.de/idp/shibboleth/

If you use this option, you are dependent on the IdP operators notifying you when a certificate change is due. A fault will occur if this notification is overlooked or ignored. The certificate must be exchanged within a transition period during which both certificates (old and new) are offered by the IdP. For further information see: IdP certificate change TU Dresden.
 

IdP certificate change TU Dresden