We currently have about thirty SAML federated partners in our production environment and our current SAML signing SSL certificate (defaultenterpriseprivatekey) has an expiration date approaching. Given that we have 30+ number of SAML service providers that we need to coordinate for the switching of our SAML signing certificate, we are seeking for best practice approach or methods to accomplish this with minimum impact or down-time with all of our SAML federated partners.
My first though is to create a new SSL certificate private/public key pair in the policy store and choose one SAML service partner at a time to coordinate the swapping out the SAML signing public certificate and then arrange to do the same with the next SAML service partner at another date. Perhaps there is a better and more simple way of accomplishing this?
This may be a dumb question, but just thought I ask anyway to confirm. I understand that the SAML signing SSL certificate is NOT a server identification certificate so if our current SAML signing certificate expires will the SAML federated SSO connection with our current SAML service provider still work?