Question on certificate rollover

We are a service provider to multiple identity providers. I am questioning how to support rollout of an updated service provider certificate to all our identity providers.

Your documentation states:
“To support phased rollout of a new certificate, it could be specified as the local certificate for the local provider and the old certificate is specified as the local certificate for each partner provider. As partner providers are ready to switch to the new certificate, the local certificate specifications for these partner providers are removed so that the new certificate is then used.”

So is that saying that if a local certificate (or old certificate) is specified for each partner provider, it will use the old certificate until they have told us that they want to use the new certificate and we remove the local certificate reference from the partner provider. Is this correct? If so, this seems like a very manual process having to coordinate with the identity providers (in our case) on when they are ready to use the new certificate.

Is there any way to use the new certificate and if it fails, use the old certificate so there is more of a seamless rollover?

Your understanding is correct.

I’m not sure how this process could be automated easily. We would have to receive notification from the identity provider that they’re ready to roll over to the new SP certificate. This isn’t something supported by the SAML specification.

If you’re using self-signed certificates for SAML, the validity period can be longer than a typical SSL certificate and so the frequency of having to do this is reduced.