Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,118 questions
SAML certificate rotation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 24%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
Simo
0
Reputation points
Hi,
We have noticed that recently the discovery endpoint for SAML https://login.microsoftonline.com/[TENANT-ID]/federationmetadata/2007-06/federationmetadata.xml started alternating between two valid keys prior final rotation.
We'd like to know how long does it take usually for a key rotation to complete. Currently we are experiencing a week long key rotation period and this is causing issues with our authentication middleware that does not support multiple keys to be configured at the same time.
{count} votes
-
Vahid Ghafarpour 17,950 Reputation points2024-04-06T05:43:17.47+00:00 Thanks for posting your question in the Microsoft Q&A forum.
Key rotation generates a new key version of an existing key with new key material. Target services should use versionless key uri to automatically refresh to latest version of the key. Ensure that your data encryption solution stores versioned key uri with data to point to the same key material for decrypt/unwrap as was used for encrypt/wrap operations to avoid disruption to your services. All Azure services are currently following that pattern for data encryption.
https://learn.microsoft.com/en-us/azure/key-vault/keys/how-to-configure-key-rotation
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 28,061 Reputation points Microsoft Employee2024-04-10T06:07:58.49+00:00 @Simo Adding to the above comments, refer to this doc - https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/tutorial-manage-certificates-for-federated-single-sign-on which talks about managing certificates.
Sign in to comment