KeyDescriptor

The KeyDescriptor stores a certificate, BUT the only interesting part are the public-key stored inside the certificate! The private part of the key is stored on the machine responsible for the Entity,

Some SAML implementations also looks at the notValidAfter value and refuses to use old certificates/keys

There are two types of keys/certificates used in the Metadata for an entity. 

KeyDescriptor use="encryption"

Stores the public encryption key. Data sent TO the Entity could be encrypted with this key and the only decrypted by the Entity is self.

Gamla sidor 

• Identity Provider Key Rollover
• IdP key rollover

Sidor att plocka ifrån

• https://www.switch.ch/aai/guides/idp/certificate-rollover/
• https://www.switch.ch/aai/guides/sp/certificate-rollover/
• https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2067398968/Multiple+Credentials
• https://shibboleth.atlassian.net/wiki/spaces/IDP4/pages/1265631697/SecurityConfiguration